Malware

Magniber Ransomware operators use PrintNightmare exploits to infect Windows servers

Threat actors behind the Magniber Ransomware are using PrintNightmare exploits in attacks aimed at Windows servers.

Threat actors behind the Magniber Ransomware are exploiting the PrintNightmare flaws (CVE-2021-1675CVE-2021-34527, and CVE-2021-36958) to infect Windows servers.

The PrintNightmare flaws reside in the Windows Print Spooler service, print drivers, and the Windows Point and Print feature.

A few hours ago Microsoft published a security advisory to warn its customers of another remote code execution zero-vulnerability, tracked as CVE-2021-36958, that resides in the Windows Print Spooler component. A local attacker could exploit the vulnerability to gain SYSTEM privileges on vulnerable systems. Microsoft said that the only workaround for this issue is to disable the Print Spooler service. 

In order to address the PrintNightmare flaws, Microsoft implemented the same changes to the default Point and Print default behavior. Non-administrator users will no longer be able to do the following using Point and Print without an elevation of privilege to administrator:

  • Install new printers using drivers on a remote computer or server
  • Update existing printer drivers using drivers from remote computer or server

CrowdStrike recently observed malicious activity associated with Magniber ransomware, a threat that has been active since 2017. In the recent wave of attacks, the threat actors attempted to trigger the PrintNighmare vulnerability on systems belonging to victims in South Korea.

“CrowdStrike recently observed new activity related to a 2017 ransomware family, known as Magniber, using the PrintNighmare vulnerability on victims in South Korea. On July 13, CrowdStrike successfully detected and prevented attempts at exploiting the PrintNightmare vulnerability, protecting customers before any encryption takes place.” reads the post published by CrowdStrike.

The experts discovered that once compromised a server exploiting a PrintNightmare flaw, Magniber drops an obfuscated DLL loader, then injects it into a process and later unpacks the DLL loader to perform local file traversal and encryption on the infected system.

The ransomware drops a ransom note that does not reveal anything about the ransomware operators, it only provides instructions to contact the threat actors for negotiation.

According to BleepingComputer, Magniber’s activity spiked in the last 30 days, experts reported almost 600 submissions on the ID Ransomware platform.

Researchers believe that other ransomware gangs will start using PrintNightmare exploits in their operations.

“CrowdStrike estimates that the PrintNightmare vulnerability coupled with the deployment of ransomware will likely continue to be exploited by other threat actors. We encourage organizations to always apply the latest patches and security updates to mitigate known vulnerabilities and adhere to security best practices to strengthen their security posture against threats and sophisticated adversaries.” CrowdStrike concludes.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

3 hours ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

7 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

21 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.