Ransomware operators such as Magniber and Vice Society are actively exploiting vulnerabilities in Windows Print Spooler to compromise victims and spread laterally across a victim’s network to deploy file-encrypting payloads on targeted systems.

Magniber ransomware was first spotted in late 2017 singling out victims in South Korea through malvertising campaigns, Vice Society is a new entrant that emerged on the ransomware landscape in mid-2021, primarily targeting public school districts and other educational institutions.

A series of “PrintNightmare” issues affecting the Windows print spooler service has come to light that could enable remote code execution when the component performs privileged file operations –

  • CVE-2021-1675 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on June 8)
  • CVE-2021-34527 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on July 6-7)
  • CVE-2021-34481 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)
  • CVE-2021-36936 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)
  • CVE-2021-36947 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)
  • CVE-2021-34483 – Windows Print Spooler Elevation of Privilege Vulnerability (Patched on August 10)
  • CVE-2021-36958 – Windows Print Spooler Remote Code Execution Vulnerability (Unpatched)

Magniber ransomware gang at exploiting the PrintNightmare vulnerability attempted and stopped by CrowdStrike

Vice Society leveraged a variety of techniques to conduct post compromise discovery and reconnaissance prior to bypassing native Windows protections for credential theft and privilege escalation.

Ransomware

Attacker is believed to have used a malicious library associated with the PrintNightmare flaw (CVE-2021-34527) to pivot to multiple systems across the environment and extract credentials from the victim.

Adversaries are constantly refining their approach to the ransomware attack lifecycle as they strive to operate more effectively, efficiently, and evasively.The use of the vulnerability known as PrintNightmare shows that adversaries are paying close attention and will quickly incorporate new tools that they find useful for various purposes during their attacks.