PrintNightmare

PrintNightmare

By CYFIRMA Research

First Published on 6 August 2021

  1. EXECUTIVE SUMMARY

Russian threat actors are suspected to have leveraged malware/ransomware and are believed to have exploited a zero-day vulnerability CVE-2021-34527.

Based on our research and analysis, we suspect state-sponsored Russian threat actor – TA505 or its affiliates to be carrying out these activities targeting multiple industries and geographies. These activities are suspected to be part of the Global Ransomware Campaign – night blood.

CYFIRMA suspects potential collaboration between Chinese hackers and Russian cybercriminals based on the indicators observed and given that Chinese hackers have targeted Japanese organizations with the same malware exploit kits in the past.

The primary motive of this campaign appears to be:

  • Exfiltration of sensitive information, intellectual property, personal, customer, and financial information.
  • Financial Gains.

CYFIRMA recommends using reported IOC details for measures against this campaign and threat hunting within your environment.

CYFIRMA Risk Rating for this Research is Critical.

NOTE: The vulnerability has been reported as situational awareness intelligence. CYFIRMA would like to highlight the potential risk and indicators observed which may be leveraged by nation-state threat actors in exploiting the vulnerability to gain a foothold and exfiltrate sensitive information from the target organizations.

  1. VULNERABILIY AT A GLANCE

Remote Code Execution Vulnerability in Microsoft Windows Print Spooler – (PrintNightmare)

CVE-2021-34527

CVSS Score: 8.8

Exploit Details: This zero-day vulnerability is being exploited in the wild and has been leveraged by REvil Ransomware Group. The exploit details can be referred to in the Link. (Source: Surface Web)

Description:
Microsoft Windows could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in the Print Spooler service.

Impact
Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code on the system with privileged access and could result in the complete compromise of the vulnerable system.

Insights
The vulnerability exists due to improper input validation within the RpcAddPrinterDriverEx() function. A remote user can send a specially crafted request to the Windows Print Spooler and execute arbitrary code with SYSTEM privileges.

The CWE is CWE-269, and the vulnerability has an impact on confidentiality, integrity, and availability.

Affected Version
Please refer to the following links for the affected versions: Source

Mitigation
Please refer to the following links for the mitigations: Source

Security Indicators

  • Is there already an exploit tool to attack this vulnerability? Yes
  • Has this vulnerability already been used in an attack? Yes
  • Are hackers discussing about this vulnerability in the Deep/Dark Web? Yes
  • What is the attack complexity level? Low

 

To download the full report, write to [email protected]