Magniber Ransomware operators use PrintNightmare exploits to infect Windows servers

Threat actors behind the Magniber Ransomware are using PrintNightmare exploits in attacks aimed at Windows servers.

Threat actors behind the Magniber Ransomware are exploiting the PrintNightmare flaws (CVE-2021-1675, CVE-2021-34527, and CVE-2021-36958) to infect Windows servers.

The PrintNightmare flaws reside in the Windows Print Spooler service, print drivers, and the Windows Point and Print feature.

A few hours ago Microsoft published a security advisory to warn its customers of another remote code execution zero-vulnerability, tracked as CVE-2021-36958, that resides in the Windows Print Spooler component. A local attacker could exploit the vulnerability to gain SYSTEM privileges on vulnerable systems. Microsoft said that the only workaround for this issue is to disable the Print Spooler service. 

In order to address the PrintNightmare flaws, Microsoft implemented the same changes to the default Point and Print default behavior. Non-administrator users will no longer be able to do the following using Point and Print without an elevation of privilege to administrator:

• Install new printers using drivers on a remote computer or server
• Update existing printer drivers using drivers from remote computer or server

CrowdStrike recently observed malicious activity associated with Magniber ransomware, a threat that has been active since 2017. In the recent wave of attacks, the threat actors attempted to trigger the PrintNighmare vulnerability on systems belonging to victims in South Korea.

“CrowdStrike recently observed new activity related to a 2017 ransomware family, known as Magniber, using the PrintNighmare vulnerability on victims in South Korea. On July 13, CrowdStrike successfully detected and prevented attempts at exploiting the PrintNightmare vulnerability, protecting customers before any encryption takes place.” reads the post published by CrowdStrike.

The experts discovered that once compromised a server exploiting a PrintNightmare flaw, Magniber drops an obfuscated DLL loader, then injects it into a process and later unpacks the DLL loader to perform local file traversal and encryption on the infected system.

The ransomware drops a ransom note that does not reveal anything about the ransomware operators, it only provides instructions to contact the threat actors for negotiation.

According to BleepingComputer, Magniber’s activity spiked in the last 30 days, experts reported almost 600 submissions on the ID Ransomware platform.

Researchers believe that other ransomware gangs will start using PrintNightmare exploits in their operations.

“CrowdStrike estimates that the PrintNightmare vulnerability coupled with the deployment of ransomware will likely continue to be exploited by other threat actors. We encourage organizations to always apply the latest patches and security updates to mitigate known vulnerabilities and adhere to security best practices to strengthen their security posture against threats and sophisticated adversaries.” CrowdStrike concludes.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]