Security Experts:

Microsoft Confirms (Yet Another) PrintNightmare Flaw as Ransomware Actors Pounce

Exasperated Windows fleet administrators woke up Thursday to news of a new, unpatched Print Spooler vulnerability that leaves machines exposed to remote code execution attacks.

Microsoft released a pre-patch advisory to confirm the severe new vulnerability after researchers published video of demo exploits on Twitter showing that Redmond’s latest PrintNightmare update was again problematic.

To make matters worse, anti-malware vendor CrowdStrike is warning that ransomware actors are already targeting one of the Windows PrintNightmare vulnerabilities to launch data-encrypting extortion attacks in South Korea.

Microsoft’s confirmation comes just days after the Patch Tuesday release of security patches and changed an OS default setting to attempt to fix a class of Print Spooler flaws that have haunted the Windows ecosystem since at least June 2021.

[ Related: Microsoft Takes Another Stab at PrintNightmare Security Fix ]

From Microsoft’s latest advisory (CVE-2021-36958):

“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The only workaround for this vulnerability is stopping and disabling the Print Spooler service.

Print Spooler, turned on by default on Microsoft Windows, is an executable file that's responsible for managing all print jobs getting sent to the computer printer or print server.

Microsoft credited Accenture’s Victor Mata with reporting the bug.  Separately, Mimikatz creator Benjamin Delpy published a video to show that Microsoft’s patch again missed the mark.  

[ Related: Did Microsoft Botch the PrintNightmare Patch? ]

The issue has been a public embarrassment for Microsoft and suggests deep problems at the once-mighty MSRC (Microsoft Security Response Center).

In the midst of Microsoft's hiccups, Crowdstrike is reporting that a known ransomware gang is attempting to exploit a known PrintNightmare flaw to launch data-encryption and extortion attacks.

A blog post from CrowdStike provides a timeline of the PrintNightmare class of bugs and warned that an exploit for one of the flaws -- CVE-2021-34527 -- have been used to plant ransomware on Windows machines in South Korea 

“The new incident involving Magniber ransomware using the recent PrintNightmare Printer Spooler vulnerability is surprising, but not uncommon considering the impact of the vulnerability. Several POCs have been in circulation since the issue was reported, and it was only a matter of time until adversaries attempted to leverage it to compromise victims and deliver malicious payloads,” CrowdStrike noted.

Related: Microsoft Takes Another Stab at PrintNightmare Security Fix

Related: Microsoft Ships Emergency PrintNightmare Patch

Related: Windows Admins Scrambling to Contain 'PrintNightmare' Flaw

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.