The Vice Society ransomware gang has also started to exploit the PrintNightmare vulnerability in Windows print spooler service. Cisco Talos revealed the threat actor is actively abusing this flaw, joining Magniber and Conti ransomware gangs.
Print Nightmare is a set of security flaws that were recently discovered to affect the Windows Print Spooler Service, the Windows Print Driver, and the Windows Point and Print feature.
Updates are available for the bugs CVE-2021-34527 and CVE-2021-1675. And while Microsoft is working on a patch for CVE-2021-36958, the company released a workaround this week.
The security flaws can allow attackers to execute arbitrary code in Windows. They can also be exploited to gain local privilege escalation (LPE), steal credentials, and distribute malware.
Cisco Talos detected two cases where Vice Society ransomware operators exploited PrintNightmare flaws CVE-2021-1675 and CVE-2021-34527 using a malicious Dynamic-link library (DLL).
Vice Society is a variant of HelloKitty ransomware that encrypts both Windows and Linux machines using OpenSSL. The Vice Society operators use double-extortion tactics and mainly target small or midsize organizations, among them public school districts and other educational institutions.
Cisco Talos compiled a list of the most popular tactics and procedures used by Vice Society to help users protect themselves from unauthorized access and phishing. Among these are backup deletion to prevent victims from restoring encrypted files and strategies for bypassing Windows protections.
“They are quick to leverage new vulnerabilities for lateral movement and persistence on a victim’s network,” Cisco Talos said. “They also attempt to be innovative on end-point detection response bypasses” and “operate a data leak site, which they use to publish data exfiltrated from victims who do not choose to pay their extortion demands.”
Multiple distinct threat actors are taking advantage of PrintNightmare bugs, their number is expected to continue to grow as long as the business is profitable, Cisco Talos added.
“The use of the vulnerability known as PrintNightmare shows that adversaries are paying close attention and will quickly incorporate new tools that they find useful for various purposes during their attacks.”
To defend against these attacks, users should apply the patches available from Microsoft and implement the workaround for CVE-2021-36958.