Ransomware operators have added PrintNightmare exploits to their arsenal and are targeting Windows servers to deploy Magniber ransomware payloads.
PrintNightmare is a class of security vulnerabilities (tracked as CVE-2021-1675, CVE-2021-34527, and CVE-2021-36958) impacting the Windows Print Spooler service, Windows print drivers, and the Windows Point and Print feature.
Microsoft has released security updates to address CVE-2021-1675 and CVE-2021-34527 in June, July, and August.
The company has also published a security advisory on Wednesday providing a workaround for CVE-2021-36958 (a zero-day bug allowing privilege escalation, with no patch available).
Threat actors can use these security flaws in local privilege escalation (LPE) or distribute malware as Windows domain admins via remote code execution (RCE) with SYSTEM privileges.
Ransomware now using PrintNightmare exploits
And, as Crowdstrike researchers discovered last month, the Magniber ransomware gang is now using PrintNightmare exploits for these exact purposes in attacks against South Korean victims.
“On July 13, CrowdStrike successfully detected and prevented attempts at exploiting the PrintNightmare vulnerability, protecting customers before any encryption takes place,” said Liviu Arsene, Crowdstrike’s Director of Threat Research and Reporting.
After compromising servers unpatched against PrintNightmare, Magniber drops an obfuscated DLL loader, which gets first injected into a process and later unpacked to perform local file traversal and encrypt files on the compromised device.
In early February 2021, Crowdstrike observed Magniber being delivered via Magnitude EK onto South Korean devices running Internet Explorer unpatched against the CVE-2020-0968 vulnerability.
Magniber ransomware has been active since October 2017, when it was being deployed through malvertising using the Magnitude Exploit Kit (EK) as the successor of Cerber ransomware.
While it initially focused on South Korean victims, the Magniber gang soon expanded its operations worldwide, switching targets to other countries, including China, Taiwan, Hong Kong, Singapore, Malaysia, and more.
Magniber has been surprisingly active during the last 30 days, with almost 600 submissions on the ID Ransomware platform.
More threat groups expected to add PrintNightmare to their arsenals
At the moment we only have evidence that the Magniber ransomware gang is using PrintNightmware exploits in the wild to target potential victims.
However, other attackers (including ransomware groups) will likely join in (if they haven’t already), seeing that there are other reports of in-the-wild PrintNightmare exploitation [1, 2, 3] have surfaced since the vulnerability was reported and proof-of-concept exploits were leaked.
“CrowdStrike estimates that the PrintNightmare vulnerability coupled with the deployment of ransomware will likely continue to be exploited by other threat actors,” Arsene concluded.
To defend against attacks that might target your network, you are advised to apply any available patches as soon as possible and implement workarounds provided by Microsoft to remove the attack vector if a security update is not yet available.
On July 13, CISA issued an emergency directive ordering federal agencies to mitigate the actively exploited PrintNightmare vulnerability on their networks.
The cybersecurity agency also published a PrintNightmare alert on July 1st, encouraging security professionals to disable the Windows Print Spooler service on all systems not used for printing.