Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Microsoft Confirms (Yet Another) PrintNightmare Flaw as Ransomware Actors Pounce

Exasperated Windows fleet administrators woke up Thursday to news of a new, unpatched Print Spooler vulnerability that leaves machines exposed to remote code execution attacks.

Exasperated Windows fleet administrators woke up Thursday to news of a new, unpatched Print Spooler vulnerability that leaves machines exposed to remote code execution attacks.

Microsoft released a pre-patch advisory to confirm the severe new vulnerability after researchers published video of demo exploits on Twitter showing that Redmond’s latest PrintNightmare update was again problematic.

To make matters worse, anti-malware vendor CrowdStrike is warning that ransomware actors are already targeting one of the Windows PrintNightmare vulnerabilities to launch data-encrypting extortion attacks in South Korea.

Microsoft’s confirmation comes just days after the Patch Tuesday release of security patches and changed an OS default setting to attempt to fix a class of Print Spooler flaws that have haunted the Windows ecosystem since at least June 2021.

[ Related: Microsoft Takes Another Stab at PrintNightmare Security Fix ]

From Microsoft’s latest advisory (CVE-2021-36958):

“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The only workaround for this vulnerability is stopping and disabling the Print Spooler service.

Advertisement. Scroll to continue reading.

Print Spooler, turned on by default on Microsoft Windows, is an executable file that’s responsible for managing all print jobs getting sent to the computer printer or print server.

Microsoft credited Accenture’s Victor Mata with reporting the bug.  Separately, Mimikatz creator Benjamin Delpy published a video to show that Microsoft’s patch again missed the mark.  

[ Related: Did Microsoft Botch the PrintNightmare Patch? ]

The issue has been a public embarrassment for Microsoft and suggests deep problems at the once-mighty MSRC (Microsoft Security Response Center).

In the midst of Microsoft’s hiccups, Crowdstrike is reporting that a known ransomware gang is attempting to exploit a known PrintNightmare flaw to launch data-encryption and extortion attacks.

A blog post from CrowdStike provides a timeline of the PrintNightmare class of bugs and warned that an exploit for one of the flaws — CVE-2021-34527 — have been used to plant ransomware on Windows machines in South Korea 

“The new incident involving Magniber ransomware using the recent PrintNightmare Printer Spooler vulnerability is surprising, but not uncommon considering the impact of the vulnerability. Several POCs have been in circulation since the issue was reported, and it was only a matter of time until adversaries attempted to leverage it to compromise victims and deliver malicious payloads,” CrowdStrike noted.

Related: Microsoft Takes Another Stab at PrintNightmare Security Fix

Related: Microsoft Ships Emergency PrintNightmare Patch

Related: Windows Admins Scrambling to Contain ‘PrintNightmare’ Flaw

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.