Come To Your Senses Already!

When it comes to cybersecurity, few things can be more perilous than to be asleep at the wheel. Every day, a great number of new vulnerabilities appear. In 2020, for example, there was apparently an average of 50 per day. However, patches continually emerge to close them. The problem arrives when people fail to consider them, thus increasing their risk of getting screwed. It is not uncommon to see a person or firm who inadvertently falls asleep and ends up losing in this field. But the most peculiar of all is that now that loss can also be provoked by a nightmare.

About two months ago, Microsoft warned about and released an out-of-band patch (i.e., a fix published at a time other than the regular release time) for PrintNightmare, a security flaw. This bug that initially seemed to involve two vulnerabilities, CVE-2021-34527 and CVE-2021-1675, allows attackers to take control of PCs. The issue lies specifically in the Windows Print Spooler (spoolsv.exe), a printing management service "enabled by default in all Windows clients and servers." As long as that first patch and the subsequent ones are not applied to the client systems that keep the service active, attackers will have code to exploit.

In general, we can understand PrintNightmare as a remote code execution (RCE) vulnerability based on operations improperly performed with privileged files by the mentioned Windows service. Therefore, attackers exploiting such a flaw can execute malicious code with system privileges inside the target device without physical access. Moreover, they can install software, steal, modify or remove information, or "create new accounts with full user rights," according to Microsoft.

As Cimpanu commented for The Record in late June, a part of PrintNightmare (at least that one with ID 1675) was at that time the latest of many Print Spooler-related findings. It turns out that this bug had been discovered earlier this year by several researchers. Microsoft already had the patch for all its users to update their systems. However, the snag arose when supposedly by an "accident," technical details of the bug and a proof-of-concept exploit ended up being shared on GitHub by analysts from a Chinese security firm. This information was online for just a few hours, but it was enough to be cloned by different users. From there, it reappeared later in the public domain.

Since then, it was known that this vulnerability could affect all versions of the Windows operating system, even those now rarely used, such as Vista and XP. The nightmare started to get darker when several researchers reported that the patch delivered by Microsoft was insufficient. Apparently, it only repaired that "part" 1675 (privilege escalation vulnerability) but not "part" 34527 (RCE vulnerability), both of which were initially grouped as if they were a single security flaw. Hence, Microsoft requested users to disable the service, "especially on Windows servers running as domain controllers from where attackers can pivot to entire internal networks." Days later, in early July, the second patch was released, surprisingly even for Windows 7, which had lost general support more than a year ago. Microsoft recommended its installation asap.

After Microsoft deployed patches for other versions of Windows (printer driver installation restrictions were becoming manifest), there were complaints that they did not provide sufficient protection. Ideas from researchers began to be made public about how the patches Microsoft had already submitted to close PrintNightmare could be bypassed. It was not until the first half of this month that authors like Todd from SecureWorld were able to say something like the following: "Now, Microsoft has finally fixed the vulnerability."

At first, it was curious to see that the security flaw Todd referred to in his post as PrintNightmare had been CVE-2021-36958, a different ID than those we saw above. However, Microsoft recently reported that there are really several vulnerabilities that together receive that name. (Today, it seems, they are about 10.) Another, for example, is the CVE-2021-34481. It was in relation to this design flaw that Microsoft exposed its new solution approach on August 10. It is about changing the default behavior of the Windows Point and Print feature. In a nutshell, as Cimpanu said, "While until now, any user could add a new printer to a Windows computer, [from now on], only admin users will be able to add or update a printer with drivers from a remote print server."

Despite all the effort, the nightmare cannot come to an end as long as many remain asleep. Meanwhile, others take advantage of it. More than a month ago, Kaspersky pointed out that cybercriminals could use PrintNightmare to carry out ransomware attacks. Well, that’s indeed what has happened. Since mid-July, the group of malicious hackers behind the Magniber ransomware is leveraging this bug (especially 34527) to breach Windows systems, mainly in South Korea.

According to Palmer in ZDNet, another group that has begun to attack taking quick advantage of PrintNightmare is Vice Society, which appeared recently in June. They use "double extortion attacks, stealing data from victims and threatening to publish it if the ransom isn’t paid." Apparently, their victims include small and medium-sized organizations, mainly educational institutions.

Certainly, these are not the only threat actors resorting to the nightmare for their benefit. And, no doubt, the number of ransomware groups seeking to infect unpatched systems is likely to grow soon. At present, what we must do to avoid this nightmare is to wake up and apply all available patches as soon as possible. Individuals and organizations must always stay vigilant and up-to-date with Windows security updates to reduce critical risks and prevent falling victim to harmful attacks.

From Fluid Attacks, we invite you to remember that these are just a few vulnerabilities that may be identified within your systems. If you want to discover and manage all the security flaws that, if exploited, could lead your company to catastrophe, do not hesitate to contact us.