Home Internet Security Ransomware gang uses PrintNightmare to breach Windows servers

Ransomware gang uses PrintNightmare to breach Windows servers


Ransomware gang uses PrintNightmare to breach Windows servers

Ransomware operators have added PrintNightmare exploits to their arsenal and are focusing on Home windows servers to deploy Magniber ransomware payloads.

PrintNightmare is a category of safety vulnerabilities (tracked as CVE-2021-1675, CVE-2021-34527, and CVE-2021-36958) impacting the Home windows Print Spooler service, Home windows print drivers, and the Home windows Level and Print characteristic.

Microsoft has launched safety updates to deal with CVE-2021-1675 and CVE-2021-34527 in June, July, and August.

The corporate has additionally printed a safety advisory on Wednesday offering a workaround for CVE-2021-36958 (a zero-day bug permitting privilege escalation, with no patch out there).

Risk actors can use these safety flaws in native privilege escalation (LPE) or distribute malware as Home windows area admins through distant code execution (RCE) with SYSTEM privileges.

Ransomware now utilizing PrintNightmare exploits

And, as Crowdstrike researchers found final month, the Magniber ransomware gang is now utilizing PrintNightmare exploits for these actual functions in assaults in opposition to South Korean victims.

“On July 13, CrowdStrike efficiently detected and prevented makes an attempt at exploiting the PrintNightmare vulnerability, defending clients earlier than any encryption takes place,” said Liviu Arsene, Crowdstrike’s Director of Risk Analysis and Reporting.

After compromising servers unpatched in opposition to PrintNightmare, Magniber drops an obfuscated DLL loader, which will get first injected right into a course of and later unpacked to carry out native file traversal and encrypt recordsdata on the compromised gadget.

In early February 2021, Crowdstrike noticed Magniber being delivered through Magnitude EK onto South Korean units operating Web Explorer unpatched in opposition to the CVE-2020-0968 vulnerability.

Magniber ransomware has been active since October 2017, when it was being deployed by way of malvertising utilizing the Magnitude Exploit Equipment (EK) because the successor of Cerber ransomware.

Whereas it initially centered on South Korean victims, the Magniber gang quickly expanded its operations worldwide, switching targets to different international locations, together with China, Taiwan, Hong Kong, Singapore, Malaysia, and extra.

Extra menace teams anticipated so as to add PrintNightmare to their arsenals

Although we solely have proof that solely the Magniber gang is utilizing PrintNightmware exploits within the wild, different attackers will possible take part, provided that a number of proof-of-concept exploits have been launched for the reason that vulnerability was reported.

“CrowdStrike estimates that the PrintNightmare vulnerability coupled with the deployment of ransomware will possible proceed to be exploited by different menace actors,” Arsene concluded.

To defend in opposition to assaults that may goal your community, you’re suggested to use any out there patches as quickly as potential and implement workarounds supplied by Microsoft to take away the assault vector if a safety replace just isn’t but out there.

On July 13, CISA issued an emergency directive ordering federal agencies to mitigate the actively exploited PrintNightmare vulnerability on their networks.

The cybersecurity company additionally printed a PrintNightmare alert on July 1st, encouraging safety professionals to disable the Home windows Print Spooler service on all techniques not used for printing.

Source link