The PrintNightmare vulnerabilities that have haunted Windows users for the last few weeks continue to be attractive targets for attackers, including the Vice Society ransomware group, which has begun exploiting the bugs during their intrusions.
Vice Society is one of the newer ransomware groups on the scene and it has not wasted any time in going after big targets. The group uses a number of different tactics, including going after backups in order to complicate recovery processes for victims. Recently, Cisco Talos incident response teams have seen Vice Society deploying a DLL that exploits the PrintNightmare vulnerabilities in Windows systems.
“The use of the vulnerability known as PrintNightmare shows that adversaries are paying close attention and will quickly incorporate new tools that they find useful for various purposes during their attacks. Multiple distinct threat actors are now taking advantage of PrintNightmare, and this adoption will likely continue to increase as long as it is effective,” Cisco Talos researchers wrote in an analysis of the Vice Society actions.
PrintNightmare refers to a set of vulnerabilities in the print spooler service in Windows that attackers can exploit to gain remote code execution on target machines. Microsoft has released a series of fixes for the bugs over the last few months, but the patches haven’t completely solved the problems. In the August Patch Tuesday update, the company released another patch that is meant to address the remaining issues. But things have continued to go sideways with the print spooler service. The day after Microsoft released the latest PrintNightmare patch, the company posted an advisory about another, newly disclosed flaw in the print spooler service. The new vulnerability (CVE-2021-36958) is only exploitable locally, but there is exploit code available for it already.
“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the Microsoft advisory says.
There is no patch available for the new print spooler flaw and the workaround for it, as with all of the other PrintNightmare bugs, is to stop and disable the print spooler service.
The Vice Society ransomware actors are far from the only group that is targeting PrintNightmare. Other actors have been exploiting the flaws since early summer, and because the flaws affect all current versions of Windows, the target base is quite large. Organizations should apply the latest update to address the PrintNightmare flaws, and if that’s not immediately possible, disable the print spooler service.