PrintNightmare Windows servers: Hackers who carry out ransomware attacks have added PrintNightmare exploits to their arsenal and target Windows servers to develop Magniber ransomware payloads.
PrintNightmare is a class of vulnerabilities (monitored as CVE-2021-1675, CVE-2021-34527 and CVE-2021-36958) affecting Windows Print Spooler, Windows print drivers, and Windows Point and Print features.
Microsoft released security updates for CVE-2021-1675 and CVE-2021-34527 in June, July, and August.
Also on Wednesday, a security advisory was released providing a solution for CVE-2021-36958 (zero-day bug that allows scaling of privileges, without available update code).
Hackers can use these security vulnerabilities for local privilege escalation (LPE) or distribute malware as Windows domain admins via remote code execution (RCE) with SYSTEM privileges.
Ransomware uses PrintNightmare exploits
As Crowdstrike investigators discovered last month, hackers attacking with Magniber ransomware are using PrintNightmare exploits in attacks on victims in South Korea.
After breaching servers that have not been properly patched for PrintNightmare, Magniber launches a DLL loader, which is first injected into a process and later unpacked to run a local file and encrypt files on the compromised device.
In early February 2021, Crowdstrike observed that Magniber was being delivered via Magnitude EK to South Korean Internet Explorer devices that had not been patched for the CVE-2020-0968 vulnerability.
The Magniber ransomware has been active since October 2017, when it was developed through malware using the Magnitude Exploit Kit (EK) as the successor to the Cerber ransomware.
While initially focusing on South Korean casualties, the Magniber gang soon expanded its operations worldwide, shifting targets to other countries such as China, Taiwan, Hong Kong, Singapore, Malaysia and more.
More hacking teams are expected to add PrintNightmare to their arsenal.
At the moment we only have evidence that the hacking team using Magniber uses PrintNightmware exploits to target potential victims. CrowdStrike estimates that the PrintNightmare vulnerability combined with ransomware development is likely to continue to be a weapon in the hands of hackers.
To protect yourself from potentially targeted attacks on your network, we recommend that you apply any available patch as soon as possible and apply Microsoft-provided alternatives to remove the security gap if a security update is not yet available.
On July 13, CISA issued an emergency directive ordering federal agencies to mitigate PrintNightmare vulnerabilities in their networks.
Cybersecurity also issued a notice about PrintNightmare on July 1, encouraging security professionals to disable Windows Print Spooler on all non-print systems.
With information from bleepingcomputer.com