While cybercriminals already hunt for unpatched bugs to exploit, things become easy if the vendors demonstrate problems patching them. The same seems to have happened with Microsoft as the tech giant is facing trouble addressing the PrintNightmare bugs thoroughly. Leveraging this weakness, at least two different ransomware gangs have planned to exploit PrintNightmare in future cyber attacks.
Ransomware Gangs Aim To Exploit PrintNightmare
Researchers have recently found at least two different ransomware gangs aiming to exploit PrintNightmare in subsequent attacks. The bugs will potentially attract more threat actors in the future too.
Specifically, researchers from Crowdstrike have found the Magniber ransomware gang already exploiting PrintNightmare against victims in South Korea.
As elaborated in their post, the attackers are exploiting CVE-2021-34527 that Microsoft patched in July. However, given the slow updates on end-user systems and the glitches with patching the bug, the attackers have a pretty good margin to exploit it in recent attacks.
Explaining how Magniber exploits the bug, the post reads,
A malicious dll was written to the folder \Device\HarddiskVolume2\Windows\System32\spool\DRIVERS\x64\3\New\ after which it was loaded into the spoolsv.exe process. The DLL itself is associated with the Magniber ransomware and is responsible for deobfuscating the core ransomware DLL and injecting it into a remote process.
Likewise, researchers from Cisco Talos spotted another ransomware gang aiming at PrintNightmare – the Vice Society. These threat actors also leverage a DLL that exploits PrintNightmare vulnerability to target remote systems.
Besides, Conti ransomware has also seemingly joined the trail.
The leaked Conti manual also included PrintNightmare. IMO is safe to say that by now every competent Ransomware gang is using this Vuln.
— John Fokker (@John_Fokker) August 12, 2021
About Vice Society Ransomware
As Cisco Talos’ post explained, Vice Society is a new ransomware gang that emerged in mid-2021. It predominantly targets small and mid-size businesses, schools, and educational institutions.
This ransomware gang also operates on the double extortion strategy and maintains a separate data leak site.
After infecting a victim, the ransomware employs evasive strategies to bypass security checks and gain elevated privileges. It also exhibits robust endpoint detection bypass capability and targets backups to prevent data recovery following the attack.
Given the recent threat of ransomware attacks, users must ensure disabling Print Spooler if they haven’t yet patched their systems for the PrintNightmare vulnerability.
Let us know your thoughts in the comments.