HomesecurityHackers use PrintNightmare to hack Windows servers

Hackers use PrintNightmare to hack Windows servers

PrintNightmare Windows servers: Hackers who carry out ransomware attacks have added PrintNightmare exploits to their arsenal and target Windows servers to develop Magniber ransomware payloads.

PrintNightmare is a class of vulnerabilities (monitored as CVE-2021-1675, CVE-2021-34527 and CVE-2021-36958) affecting Windows Print Spooler, Windows print drivers, and Windows Point and Print features.

Microsoft released security updates for CVE-2021-1675 and CVE-2021-34527 in June, July, and August.

See also: Patch Tuesday August 2021 Fixed 44 vulnerabilities and Print Spooler

PrintNightmare Windows servers

Also on Wednesday, a security advisory was released providing a solution for CVE-2021-36958 (zero-day bug that allows scaling of privileges, without available update code).

Hackers can use these security vulnerabilities for local privilege escalation (LPE) or distribute malware as Windows domain admins via remote code execution (RCE) with SYSTEM privileges.

See also: Microsoft: Warns of new vulnerabilities in Windows Print Spooler

Ransomware uses PrintNightmare exploits

As Crowdstrike investigators discovered last month, hackers attacking with Magniber ransomware are using PrintNightmare exploits in attacks on victims in South Korea.  

After breaching servers that have not been properly patched for PrintNightmare, Magniber launches a DLL loader, which is first injected into a process and later unpacked to run a local file and encrypt files on the compromised device.

Hackers PrintNightmare Windows servers
PrintNightmare Windows servers

In early February 2021, Crowdstrike observed that Magniber was being delivered via Magnitude EK to South Korean Internet Explorer devices that had not been patched for the CVE-2020-0968 vulnerability.

The Magniber ransomware has been active since October 2017, when it was developed through malware using the Magnitude Exploit Kit (EK) as the successor to the Cerber ransomware.

While initially focusing on South Korean casualties, the Magniber gang soon expanded its operations worldwide, shifting targets to other countries such as China, Taiwan, Hong Kong, Singapore, Malaysia and more.

More hacking teams are expected to add PrintNightmare to their arsenal.

See also: PrintNightmare bug Emergency security update for Windows systems

Hackers PrintNightmare Windows servers
PrintNightmare Windows servers

At the moment we only have evidence that the hacking team using Magniber uses PrintNightmware exploits to target potential victims. CrowdStrike estimates that the PrintNightmare vulnerability combined with ransomware development is likely to continue to be a weapon in the hands of hackers.

To protect yourself from potentially targeted attacks on your network, we recommend that you apply any available patch as soon as possible and apply Microsoft-provided alternatives to remove the security gap if a security update is not yet available.

See also: Antivirus software Protects you from the threat of ransomware?

On July 13, CISA issued an emergency directive ordering federal agencies to mitigate PrintNightmare vulnerabilities in their networks.

Cybersecurity also issued a notice about PrintNightmare on July 1, encouraging security professionals to disable Windows Print Spooler on all non-print systems.

With information from