Windows PrintNightmare is the new weak link that cybercriminals are now exploiting in order to infect the computers of their victims with ransomware. According to a new report, there is a growing number of ransomware groups who are attempting to take advantage of unpatched networks.
The remote code execution vulnerabilities (CVE-2021-34527 and CVE-2021-1675) in Windows Print Spooler which is a service that is enabled by default on all Windows computers and is used to copy data between devices in order to manage printing jobs.
With it being the new vulnerable way of infecting people’s computers, cyber attackers are able to run arbitrary code which enables them to install programs, modify, change and delete data, create new accounts with full user rights and move laterally around networks – says a new report published by tech publisher Zdnet.
This new ability gives ransomware gangs the advantage of using PrintNightmare to compromise networks, encrypt files and servers, and demand payment from victims for a decryption key in order to get their computer unlocked.
One of them is Vice Society, a relatively new player in the ransomware space that first appeared in June and conducts hands-on, human-operated campaigns against targets. Vice Society is known to be quick to exploit new security vulnerabilities to help ransomware attacks and, according to cybersecurity researchers at Cisco Talos, they’ve added PrintNightmare to their arsenal of tools for compromising networks.
These cybercriminals use double extortion attacks, stealing of data from victims’ computers and threatening to publish those data if they’re not paid. According to Cisco Talos, the new ransom group Vice Society focuses on small and midsize victims such as schools and other educational institutions.
The ubiquitous nature of Windows systems in these environments means Vice Society can utilize PrintNightmare vulnerabilities if patches haven’t been applied, to execute code, maintain persistence on networks and deliver ransomware.
“The use of the vulnerability known as PrintNightmare shows that adversaries are paying close attention and will quickly incorporate new tools that they find useful for various purposes during their attacks,” Cisco Talos researchers wrote in a blog post.
“Multiple distinct threat actors are now taking advantage of PrintNightmare, and this adoption will likely continue to increase as long as it is effective”.
There is another group that actively exploits the PrintNightmare vulnerabilities – Magniber. The group is known for actively introducing new features and attack methods since 2017.
The initial means of exploitation by the group was the use of malvertising with which they can spread attacks before moving on to taking advantage of unpatched security vulnerabilities in software such as the Internet Explorer and Flash. The ransomware group is notorious in South Korea where it has the majority of its victims.
According to the cybersecurity research firm Crowdstrike, Magniber has joined the list of cybercriminals to gang up and exploit newly disclosed vulnerabilities in order to aid attacks even before network operators have applied the patch.
With that said, it’s very likely that other ransomware groups and hacking campaigns will look on to exploiting the PrintNightmare vulnerabilities which is why it’ll be a good idea to ensure your systems are patched as fast as you possibly can.
“CrowdStrike estimates that the PrintNightmare vulnerability coupled with the deployment of ransomware will likely continue to be exploited by other threat actors,” said Liviu Arsene, director of threat research and reporting at Crowdstrike.
“We encourage organizations to always apply the latest patches and security updates to mitigate known vulnerabilities and adhere to security best practices to strengthen their security posture against threats and sophisticated adversaries,” he added.