The Vice Society ransomware gang is now also actively exploiting Windows print spooler PrintNightmare vulnerability for lateral movement through their victims’ networks.

PrintNightmare is a set of recently disclosed security flaws (tracked as CVE-2021-1675, CVE-2021-34527, and CVE-2021-36958) found to affect the Windows Print Spooler service, Windows print drivers, and the Windows Point and Print feature.

Microsoft has released security updates to address the CVE-2021-1675 and CVE-2021-34527 bugs in June, July, and August, and has also published a security advisory this week with a workaround for CVE-2021-36958 (a zero-day bug allowing privilege escalation).

Attackers can abuse this set of security flaws for local privilege escalation (LPE) or distributing malware as Windows domain admins via remote code execution (RCE) with SYSTEM privileges.

PrintNightmare added to Vice Society’s arsenal

Recently, Cisco Talos researchers observed Vice Society ransomware operators deploying a malicious Dynamic-link library (DLL) to exploit two PrintNightmare flaws (CVE-2021-1675 and CVE-2021-34527).

Vice Society ransomware (likely a HelloKitty spin-off) encrypts both Windows and Linux systems using OpenSSL (AES256 + secp256k1 + ECDSA), as ransomware expert Michael Gillespie found in mid-June when the first samples surfaced.

The Vice Society gang mainly targets small or midsize victims in human-operated double-extortion attacks, with a notable focus on public school districts and other educational institutions.

Cisco Talos also made a list of Vice Society’s favorite tactics, techniques, and procedures (TTPs), including backup deletion to prevent victims from restoring encrypted systems and bypassing Windows protections for credential theft and privilege escalation.

“They are quick to leverage new vulnerabilities for lateral movement and persistence on a victim’s network,” Cisco Talos said.

“They also attempt to be innovative on end-point detection response bypasses” and “operate a data leak site, which they use to publish data exfiltrated from victims who do not choose to pay their extortion demands.”

PrintNightmare actively exploited by multiple threat actors

The Conti and Magniber ransomware gangs are also using PrintNightmare exploits to compromise unpatched Windows servers.

Magniber’s attempts to exploit the Windows print spooler vulnerabilities in attacks against South Korean victims were detected by Crowdstrike in mid-June.

In-the-wild PrintNightmare exploitation reports [1, 2, 3] have been slowly trickling in since the vulnerability was first reported and proof-of-concept exploits were leaked.

“Multiple distinct threat actors are now taking advantage of PrintNightmare, and this adoption will likely continue to increase as long as it is effective,” Cisco Talos added.

“The use of the vulnerability known as PrintNightmare shows that adversaries are paying close attention and will quickly incorporate new tools that they find useful for various purposes during their attacks.”

To defend against these ongoing attacks, you should apply any available PrintNightmare patches as soon as possible and implement the workarounds provided by Microsoft for the CVE-2021-36958 zero-day to remove the attack vector.