Threat Intel Flash: Sisense Data Compromise: ARC Labs Intelligence Flash

Get the Latest
Binary Defense Full Color Logo Dark Markless Binary Defense Full Color Logo Dark Markless Binary Defense Full Color Logo Light Markless Binary Defense Full Color Logo Light Markless

Search

Binary Defense Full Color Logo Dark Markless Binary Defense Full Color Logo Dark Markless Binary Defense Full Color Logo Light Markless Binary Defense Full Color Logo Light Markless

Ransomware Operators Now Exploiting #PrinterNightmare Vulnerabilities

Last Modified: Tuesday April 18, 2023

By

Ransomware operators have changed their tactics (TTP) to adopt recently disclosed Microsoft #Printernightmare vulnerabilities. Cisco Talos and Crowdstrike independently have confirmed the exploitation of these vulnerabilities in the wild by multiple threat actors. Researchers have publicly confirmed the exploitation of #PrinterNightmare vulnerabilities by Magniber and Vice Society. Magniber has so far focused on targets in South Korea, while Vice Society has focused on public school districts and other educational organizations. The exploited vulnerabilities, previously commented on within Threat Watch, include:
CVE-2021-1675 – Windows Print Spooler Remote Code Execution Vuln (Patched on June 8)

CVE-2021-34527 – Windows Print Spooler Remote Code Execution Vuln (Patched on July 6-7)

CVE-2021-34481 – Windows Print Spooler Remote Code Execution Vuln (Patched on August 10)

CVE-2021-36936 – Windows Print Spooler Remote Code Execution Vuln (Patched on August 10)

CVE-2021-36947 – Windows Print Spooler Remote Code Execution Vuln (Patched on August 10)

CVE-2021-34483 – Windows Print Spooler Elevation of Privilege Vuln (Patched on August 10)

CVE-2021-36958 – Windows Print Spooler Remote Code Execution Vuln (Unpatched)

Analyst Notes

While patching introduces risks of its own, these updates are critical and organizations are advised to update in production as soon as it is feasible. Threat actors have incorporated these vulnerabilities into their Tactics, Techniques, and Procedures (TTP’s) and available Proof of Concept (PoC) code has been released by researchers. As the Hafnium and other prior attacks have shown, threat actor groups can be relatively quick to change their TTP’s in order to capitalize on recently disclosed vulnerabilities. We recommended using knowledge of these vulnerabilities in a robust program of detection engineering and threat hunting, such as Binary Defense’s offering.

https://thehackernews.com/2021/08/ransomware-gangs-exploiting-windows.html

https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/

https://blog.talosintelligence.com/2021/08/vice-society-ransomware-printnightmare.html

You May Also Like

Threat

Apr. 11, 2023

Yum Brands Reports Breach After Ransomware Attack

Yum Brands, the parent company of popular fast-food chains KFC, Pizza Hut, and Taco Bell, has disclosed a data breach after a ransomware attack…

Read More

Threat

Apr. 11, 2023

Apple Releases Emergency Updates For Older iOS Devices After Recent Discovery Of Zero-Day Vulnerabilities

Read More

Threat

Apr. 10, 2023

Various Industries in Israel Dealing with Cyber Issues

Read More