Ransomware Operators Exploiting Windows Print Spooler Vulnerabilities

The cybersecurity researchers at Cisco Talos have detected that the ransomware group the Vice Society actively exploiting the PrintNightmare vulnerability in the Windows print spooler to relocate its victims over the networks.

However, the experts have stated in one of their reports that PrintNightmare is a collection of vulnerabilities that have CVE-2021-1675, CVE-2021-34527, and CVE-2021-36958 in Windows Print Spooler, Windows drivers, and Windows Point and Print functionality.

Who is VICE SOCIETY?

After the attack was detected, the security experts started an investigation and reported that the Vice Society ransomware group is a very new player in the ransomware space.

According to the report, this ransomware group has appeared in mid-2021 and the experts have noticed that the group has started launching big-game hunting and double-extortion attacks.

The ransomware group Vice Society generally targets small businesses and organizations, and not only this it also targets public schools and other educational institutions as well.

This group is very quick to leverage new vulnerabilities for parallel movement as well as endurance on a victim’s network. 

Not only this but this ransomware group is also implementing its operations in an innovative way that is on end-point detection response bypasses.

Vulnerabilities Detected Till Now

  • CVE-2021-1675 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on June 8)
  • CVE-2021-34527 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on July 6-7)
  • CVE-2021-34481 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)
  • CVE-2021-36936 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)
  • CVE-2021-36947 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)
  • CVE-2021-34483 – Windows Print Spooler Elevation of Privilege Vulnerability (Patched on August 10)
  • CVE-2021-36958 – Windows Print Spooler Remote Code Execution Vulnerability (Unpatched)

After investigating the attack, the security analysts noted that another human-operated ransomware attack correlated with Vice Society. However, the experts have noticed several notable tactics, techniques, and Procedures (TTP) that were being used in the operation by the threat actors.

Characteristics of the operations of the group 

Some interesting characteristics of this attack, and here they are mentioned below:-

  • The threat actors have used utilities like the proxychains and impacket throughout the post-compromise stages of the attack lifecycle.
  • They have also targeted the backups to stop recovery following ransomware deployment.
  • The depravity of ESXi servers was being used for virtualization in victim conditions.
  • The use of a DLL takes benefit of the newly created PrintNightmare vulnerability for which Microsoft has earlier published a security update.
  • They had made many efforts to bypass local Windows protections for credential theft and opportunity increase.

Protect Systems from Print Spooler Attacks 

The experts have stated briefly that how victims can protect systems from print spooler attacks, and as per the report, there is no patch still now for this vulnerability. 

However, the analysts said that users can protect themselves just by stopping and disabling the Print Spooler service.

Moreover, according to Microsoft these printers can easily be shared through the web Point-and-Print Protocol, and this might enable the installation of arbitrary printer drivers and it does not rely on SMS traffic.

The threat actors have generally used a variety of methods, techniques, and ideas as they work to achieve their mission objectives. 

Not only this but there is significant overlap and many associations among the methods that are generally taken by distinguished threat actors during the operation.

INDICATORS OF COMPROMISE (IOCS)

PrintNightmare DLL: 6f191f598589b7708b1890d56b374b45c6eb41610d34f976f0b4cfde8d5731af