Researchers over the past couple of days reported that two different ransomware gangs — one fairly new, the other several years old — have been actively exploiting the PrintNightmare vulnerability in the Windows Print Spooler service to launch ransomware attacks.
In a Thursday blog post, Cisco Talos researchers said these attacks are of particular concern because multiple threat actors view the PrintNightmare as attractive to use during their attacks and could indicate that many other threat groups would also use it.
The Cisco Talos researchers underscored that it’s important for defenders to understand the attack lifecycle leading up to the deployment of ransomware. In the blog post, they outlined the tactics, techniques and procedures of the Vice Society ransomware gang, a group that emerged in mid-2021. The Cisco Talos team says if security teams have not done so already, they should download the latest patch for PrintNightmare from Microsoft.
The other case was reported by CrowdStrike researchers, who said Wednesday that they recently observed that Magniber — a 2017 ransomware family — was using the PrintNightmare vulnerability on victims in South Korea. CrowdStrike said on July 13, it successfully detected and prevented attempts at exploiting the PrintNightmare vulnerability before any encryption on customers took place.
After being originally documented as an elevation of privilege (EoP) vulnerability, PrintNightmare can now also enable remote code execution (RCE), said Austin Merritt, cyber threat intelligence analyst at Digital Shadows. Merritt said this increases the severity of the vulnerability as an attacker can use it to both gain remote access and take control of Active Directory.
“Since June 2021, we have observed a POC for exploiting the PrintNightmare vulnerability advertised on Russian-language cybercriminal forums, and one user even advertised a penetration testing tool with ‘a working PrintNightmare exploit integrated into it,’” said Merritt. “It's not surprising that the vulnerability is now being leveraged to conduct ransomware attacks. While we have not seen the POC explicitly advertised in the context of ransomware, the vulnerability can certainly be weaponized as a precursor to a ransomware attack.”
Jake Williams, co-founder and CTO at BreachQuest, said there was never any doubt that attackers would use PrintNightmare, particularly for privilege escalation. In the reported cases, Williams said it appears that PrintNightmare was used to escalate privileges to facilitate lateral movement, not for lateral movement itself.
“That doesn’t make it any less serious — anything that gets a threat actor privileges to laterally move is still a benefit for them,” Williams said. “While organizations should, of course, focus on mitigating new vulnerabilities like PrintNightmare, focusing on post-exploitation activities taken by threat actors is at least as important.”