Ransomware operators comparable to Magniber and Vice Society are actively exploiting vulnerabilities in Home windows Print Spooler to compromise victims and unfold laterally throughout a sufferer’s community to deploy file-encrypting payloads on focused methods.
“A number of, distinct risk actors view this vulnerability as enticing to make use of throughout their assaults and will point out that this vulnerability will proceed to see extra widespread adoption and incorporation by numerous adversaries shifting ahead,” Cisco Talos said in a report revealed Thursday, corroborating an independent analysis from CrowdStrike, which noticed cases of Magniber ransomware infections focusing on entities in South Korea.
Whereas Magniber ransomware was first noticed in late 2017 singling out victims in South Korea by way of malvertising campaigns, Vice Society is a brand new entrant that emerged on the ransomware panorama in mid-2021, primarily focusing on public faculty districts and different academic establishments. The assaults are stated to have taken place since at the very least July 13.
Since June, a sequence of “PrintNightmare” points affecting the Home windows print spooler service has come to mild that might allow distant code execution when the element performs privileged file operations –
- CVE-2021-1675 – Home windows Print Spooler Distant Code Execution Vulnerability (Patched on June 8)
- CVE-2021-34527 – Home windows Print Spooler Distant Code Execution Vulnerability (Patched on July 6-7)
- CVE-2021-34481 – Home windows Print Spooler Distant Code Execution Vulnerability (Patched on August 10)
- CVE-2021-36936 – Home windows Print Spooler Distant Code Execution Vulnerability (Patched on August 10)
- CVE-2021-36947 – Home windows Print Spooler Distant Code Execution Vulnerability (Patched on August 10)
- CVE-2021-34483 – Home windows Print Spooler Elevation of Privilege Vulnerability (Patched on August 10)
- CVE-2021-36958 – Home windows Print Spooler Distant Code Execution Vulnerability (Unpatched)
CrowdStrike famous it was capable of efficiently forestall makes an attempt made by the Magniber ransomware gang at exploiting the PrintNightmare vulnerability.
Vice Society, alternatively, leveraged quite a lot of methods to conduct post-compromise discovery and reconnaissance previous to bypassing native Home windows protections for credential theft and privilege escalation.
Particularly, the attacker is believed to have used a malicious library related to the PrintNightmare flaw (CVE-2021-34527) to pivot to a number of methods throughout the surroundings and extract credentials from the sufferer.
“Adversaries are always refining their strategy to the ransomware assault lifecycle as they attempt to function extra successfully, effectively, and evasively,” the researchers stated. “Using the vulnerability often called PrintNightmare exhibits that adversaries are paying shut consideration and can rapidly incorporate new instruments that they discover helpful for numerous functions throughout their assaults.”