The PrintNightmare is a set of vulnerabilities in Windows Servers that can allow an attacker to escalate privileges and execute malicious code remotely. Microsoft has issued patches for two and a workaround for one vulnerability already.
Unpatched Windows Servers at Risk
Certain Windows Servers are vulnerable to a hacking threat from ransomware groups, which can exploit both known and unknown printing vulnerabilities discovered recently. These vulnerabilities tracked as CVE-2021-1675, CVE-2021-34527, and CVE-2021-36958, are collectively called as PrintNightmare. Microsoft has released security patches for CVE-2021-1675 and CVE-2021-34527 in June, July, and August, leaving only the CVE-2021-36958 vulnerability with no patch. Yet, it has issued a security advisory suggesting a workaround and asked users to apply immediately. But those who have ignored are now vulnerable to hacks, as per Crowdstrike, which prevented attacks against targets in South Korea already. They’ve seen a ransomware group actively exploiting these vulnerabilities across the world, to breach in and inject Magniber ransomware payload. The Magniber gang is in service since 2017 and has been attacking PrintNightmare bugs since February this year. Hackers exploiting these vulnerabilities can use escalate local privileges or “distribute malware as Windows domain admins via remote code execution (RCE) with SYSTEM privileges.” Once the hackers are in by exploiting vulnerabilities, they deploy an obfuscated DLL loader into a process that is later unpacked to perform local file traversal and encrypt files on the compromised device. This Magniber payload is primarily distributed throughout malvertising, through the Magnitude Exploit Kit (EK). While it’s only the Magniber ransomware group actively exploiting these vulnerabilities, for now, we may soon see other ransomware groups following this path considering the openly published proof-of-concept exploits in wild. Thus, it’s suggested to upgrade your systems with any Microsoft updates available, and apply workarounds into an official patch is released.