Ransomware operators such as Magniber and Vice Society are
actively exploiting vulnerabilities in Windows Print Spooler to
compromise victims and spread laterally across a victim’s network
to deploy file-encrypting payloads on targeted systems.
“Multiple, distinct threat actors view this vulnerability as
attractive to use during their attacks and may indicate that this
vulnerability will continue to see more widespread adoption and
incorporation by various adversaries moving forward,” Cisco Talos
said[1]
in a report published Thursday, corroborating an independent analysis[2]
from CrowdStrike, which observed instances of Magniber ransomware
infections targeting entities in South Korea.
While Magniber ransomware was first spotted in late 2017
singling out victims in South Korea through malvertising campaigns,
Vice Society is a new entrant that emerged on the ransomware
landscape in mid-2021, primarily targeting public school districts
and other educational institutions. The attacks are said to have
taken place since at least July 13.
Since June, a series of “PrintNightmare” issues affecting the
Windows print spooler service has come to light that could enable
remote code execution when the component performs privileged file
operations –
- CVE-2021-1675[3] – Windows Print Spooler
Remote Code Execution Vulnerability (Patched on June 8) - CVE-2021-34527[4] – Windows Print Spooler
Remote Code Execution Vulnerability (Patched on July 6-7) - CVE-2021-34481[5] – Windows Print Spooler
Remote Code Execution Vulnerability (Patched on August 10) - CVE-2021-36936[6] – Windows Print Spooler
Remote Code Execution Vulnerability (Patched on August 10) - CVE-2021-36947[7] – Windows Print Spooler
Remote Code Execution Vulnerability (Patched on August 10) - CVE-2021-34483[8] – Windows Print Spooler
Elevation of Privilege Vulnerability (Patched on August 10) - CVE-2021-36958[9] – Windows Print Spooler
Remote Code Execution Vulnerability (Unpatched)
CrowdStrike noted it was able to successfully prevent attempts
made by the Magniber ransomware gang at exploiting the
PrintNightmare vulnerability.
Vice Society, on the other hand, leveraged a variety of
techniques to conduct post-compromise discovery and reconnaissance
prior to bypassing native Windows protections for credential theft
and privilege escalation.
Specifically, the attacker is believed to have used a malicious
library associated with the PrintNightmare flaw (CVE-2021-34527) to
pivot to multiple systems across the environment and extract
credentials from the victim.
“Adversaries are constantly refining their approach to the
ransomware attack lifecycle as they strive to operate more
effectively, efficiently, and evasively,” the researchers said.
“The use of the vulnerability known as PrintNightmare shows that
adversaries are paying close attention and will quickly incorporate
new tools that they find useful for various purposes during their
attacks.”
References
- ^
said
(blog.talosintelligence.com) - ^
independent analysis
(www.crowdstrike.com) - ^
CVE-2021-1675
(thehackernews.com) - ^
CVE-2021-34527
(thehackernews.com) - ^
CVE-2021-34481
(thehackernews.com) - ^
CVE-2021-36936
(thehackernews.com) - ^
CVE-2021-36947
(thehackernews.com) - ^
CVE-2021-34483
(thehackernews.com) - ^
CVE-2021-36958
(thehackernews.com)