Hackers added PrintNightmare exploits to their arsenal, who are now targeting Windows servers to infect them with Magniber ransomware payloads.
PrintNightmare is a set of security issues that affect the Windows Print Spooler service, the Windows Point and Print feature, and the Windows Print drivers.
Microsoft has previously released security updates to address PrintNightmare vulnerabilities CVE-2021-1675 and CVE-2021-34527 in June, July, and August and a security advisory this Wednesday for CVE-2021-36958. And in July, the Center for Information Security Awareness (CISA) issued an emergency directive to federal agencies to address the PrintNightmare vulnerability and later an alert on July 1st.
Despite these measures, these flaws can still be exploited by attackers to execute remote code with SYSTEM privileges without requiring an administrator’s credentials.
According to Crowdstrike researchers, the Magniber ransomware gang is now using the PrintNightmare exploits to carry out its campaign against South Korean victims.
“On July 13, CrowdStrike successfully detected and prevented attempts at exploiting the PrintNightmare vulnerability, protecting customers before any encryption takes place,” said Liviu Arsene, Crowdstrike’s Director of Threat Research and Reporting.
The Magniber ransomware was first detected in October 2017 and was initially deployed through malvertising techniques. After penetrating unpatched servers with PrintNightmare, Magniber dropped an obfuscated DLL Loader that was injected into a process and then later unpacked to encrypt files on the compromised device.
In February, Magniber ransomware was observed delivered onto South Korean devices via Magnitude Exploit Kit (EK). After targeting South Korean victims, the Magniber gang branched out to other countries, such as China, Malaysia, and Taiwan.
Even though there is only evidence that the Magniber gang is using the PrintNightmare exploits, other attackers will likely start to exploit the bugs too. Already, multiple proof-of-concept exploits have been released underground since the vulnerability was reported.
“CrowdStrike estimates that the PrintNightmare vulnerability coupled with the deployment of ransomware will likely continue to be exploited by other threat actors,” Arsene concluded.
To protect against such attacks, it is advised to apply all the available patches, disable the Windows Print Spooler, and implement Microsoft’s workarounds.