Windows Print Spoofer vulnerabilities exploited by attackers
Ransomware operators Magniber and Vice Society are on a mission to actively exploit vulnerabilities in Windows Print Spooler with the aim to spread over targeted victims’ networks to deploy file-encrypting payloads on their systems.
Magniber ransomware was first detected in 2017, where its targets belonged to South Korea. This was done through malvertising campaigns using the Magnitude Exploit Kit (EK). Previously the ransomware was used to infect only victims in South Korea, but by mid-2018, it went ahead and started infecting systems of other Asia Pacific countries.
Vice Society is a relatively new entity, detected in the mid of this year. Its main target includes public school districts and other educational establishments.
From June 2021, the “PrintNightmare” issues affecting the Windows print spooler service have come to notice. These could enable remote code execution when the privileged file operations were performed.
- CVE-2021-1675 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on June 8)
- CVE-2021-34527 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on July 6-7)
- CVE-2021-34481 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)
- CVE-2021-36936 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)
- CVE-2021-36947 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)
- CVE-2021-34483 – Windows Print Spooler Elevation of Privilege Vulnerability (Patched on August 10)
- CVE-2021-36958 – Windows Print Spooler Remote Code Execution Vulnerability (Unpatched)
CrowdStrike claimed that its efforts to prevent attempts made by the Magniber ransomware group at exploiting the PrintNightmare vulnerability, were successful.
Vice Society, on the other hand, was smart enough to leverage techniques to carry out post-compromise investigation before bypassing native Windows protections.
Specifically, the adversary is said to have utilized a malicious library linked to the PrintNightmare flaw (CVE-2021-34527) to pivot to the systems across the environment and access the victim’s credentials.
Research also pointed out the attackers are constantly upgrading their ransomware approach. Their exploitation of the PrintNightmare is a clear indication that these actors are very attentive and will be prompt to devise new tools that make the attacks more convenient.