The cybersecurity researchers at Cisco Talos have detected that the ransomware group the Vice Society actively exploiting the PrintNightmare vulnerability within the Home windows print spooler to relocate its victims over the networks.
Nonetheless, the consultants have said in considered one of their stories that PrintNightmare is a set of vulnerabilities which have CVE-2021-1675, CVE-2021-34527, and CVE-2021-36958 in Home windows Print Spooler, Home windows drivers, and Home windows Level and Print performance.
Who’s VICE SOCIETY?
After the assault was detected, the safety consultants began an investigation and reported that the Vice Society ransomware group is a really new participant within the ransomware area.
Based on the report, this ransomware group has appeared in mid-2021 and the consultants have observed that the group has began launching big-game looking and double-extortion assaults.
The ransomware group Vice Society usually targets small companies and organizations, and never solely this it additionally targets public colleges and different academic establishments as effectively.
This group could be very fast to leverage new vulnerabilities for parallel motion in addition to endurance on a sufferer’s community.
Not solely this however this ransomware group can be implementing its operations in an revolutionary method that’s on end-point detection response bypasses.
Vulnerabilities Detected Until Now
- CVE-2021-1675 – Home windows Print Spooler Distant Code Execution Vulnerability (Patched on June 8)
- CVE-2021-34527 – Home windows Print Spooler Distant Code Execution Vulnerability (Patched on July 6-7)
- CVE-2021-34481 – Home windows Print Spooler Distant Code Execution Vulnerability (Patched on August 10)
- CVE-2021-36936 – Home windows Print Spooler Distant Code Execution Vulnerability (Patched on August 10)
- CVE-2021-36947 – Home windows Print Spooler Distant Code Execution Vulnerability (Patched on August 10)
- CVE-2021-34483 – Home windows Print Spooler Elevation of Privilege Vulnerability (Patched on August 10)
- CVE-2021-36958 – Home windows Print Spooler Distant Code Execution Vulnerability (Unpatched)
After investigating the assault, the safety analysts famous that one other human-operated ransomware assault correlated with Vice Society. Nonetheless, the consultants have observed a number of notable ways, strategies, and Procedures (TTP) that have been getting used within the operation by the menace actors.
Traits of the operations of the group
Some attention-grabbing traits of this assault, and right here they’re talked about under:-
- The menace actors have used utilities just like the proxychains and impacket all through the post-compromise phases of the assault lifecycle.
- They’ve additionally focused the backups to cease restoration following ransomware deployment.
- The depravity of ESXi servers was getting used for virtualization in sufferer situations.
- Using a DLL takes good thing about the newly created PrintNightmare vulnerability for which Microsoft has earlier printed a safety replace.
- That they had made many efforts to bypass native Home windows protections for credential theft and alternative enhance.
Shield Methods from Print Spooler Assaults
The consultants have said briefly that how victims can defend techniques from print spooler assaults, and as per the report, there is no such thing as a patch nonetheless now for this vulnerability.
Nonetheless, the analysts mentioned that customers can defend themselves simply by stopping and disabling the Print Spooler service.
Furthermore, in keeping with Microsoft these printers can simply be shared by way of the net Level-and-Print Protocol, and this would possibly allow the set up of arbitrary printer drivers and it doesn’t depend on SMS visitors.
The menace actors have usually used quite a lot of strategies, strategies, and concepts as they work to attain their mission aims.
Not solely this however there may be important overlap and lots of associations among the many strategies which can be usually taken by distinguished menace actors in the course of the operation.
INDICATORS OF COMPROMISE (IOCS)
PrintNightmare DLL: 6f191f598589b7708b1890d56b374b45c6eb41610d34f976f0b4cfde8d5731af