[MART] - Daily Diary #326 - Threat Actors Spotted Exploiting PrintNightmare Vulnerabilities

CTAS-MAT ctas-mat at appgate.com
Fri Aug 13 22:14:02 UTC 2021


I hope everyone is doing well!

Below is the entry for today.

08/13/2021 - Diary entry #326:

On our Daily Diaries #300, #295 and #296 we covered PrintNightmare, an exploit that was publicly released for a zero-day vulnerability affecting multiple versions of Windows. Microsoft released emergency patches for some Windows versions which were bypassed right after by security researchers. Because of that, this week Microsoft released the August 2021 Patch Tuesday, covered in our Daily Diary #323, fixing the vulnerabilities required by PrintNightmare exploit.

After the patch, Windows now requires users to have administrative privileges to install print drivers using the Point and Print Windows feature. A day after, a new Remote Code Execution (RCE) vulnerability, tracked as CVE-2021-36958, was acknowledged by Microsoft. Still unpatched, Microsoft recommend users to stop and disable the Print Spooler service.

Meanwhile, some Ransomware gangs were already spotted abusing the PrintNightmare vulnerabilities in the wild. Since at least July 13, Magniber and Vice Society operators are exploiting those vulnerabilities to compromise their targets and move laterally to deploy malicious payloads on its networks.

When the vulnerability was disclosed, some exploits appeared on Github. So it was matter of time threat actors start using the PrintNightmare on their operations. It is important to keep Windows updated, and for now, disabling the Print Spooler service on the system until a solution be officially released.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210813/e3c1832d/attachment.htm>

More information about the MART mailing list