Vice Society ransomware also exploits PrintNightmare flaws in its attack

Another ransomware gang, the Vice Society ransomware operators, is using Windows print spooler PrintNightmare exploits in its attacks.

The Vice Society ransomware operators are actively exploiting Windows print spooler PrintNightmare vulnerability in their attacks against Windows servers.

The PrintNightmare flaws (tracked as  (CVE-2021-1675, CVE-2021-34527, and CVE-2021-36958) reside in the Windows Print Spooler service, print drivers, and the Windows Point and Print feature.

An attacker can exploit these vulnerabilities for local privilege escalation (LPE) or remote code execution (RCE).

Microsoft issued security updates, between June and August, to address the above issues, it also implemented the same changes to the default Point and Print default behavior. Non-administrator users will no longer be able to do the following using Point and Print without an elevation of privilege to administrator:

• Install new printers using drivers on a remote computer or server
• Update existing printer drivers using drivers from remote computer or server

Microsoft recently published a security advisory to warn its customers of another remote code execution zero-vulnerability, tracked as CVE-2021-36958, that resides in the Windows Print Spooler component. A local attacker could exploit the vulnerability to gain SYSTEM privileges on vulnerable systems.

“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the security advisory published by Microsoft. “The workaround for this vulnerability is stopping and disabling the Print Spooler service.”

The flaw received a CVSS score of 7.3, Microsoft said that the only workaround for this issue is to disable the Print Spooler service.

Cisco Talos experts discovered that the Vice Society ransomware operators are exploiting two PrintNightmare vulnerabilities (CVE-2021-1675 and CVE-2021-34527) to deploy a malicious DLL on target servers.

“Another threat actor is actively exploiting the so-called PrintNightmare vulnerability (CVE-2021-1675 / CVE-2021-34527) in Windows’ print spooler service to spread laterally across a victim’s network as part of a recent ransomware attack, according to Cisco Talos Incident Response research.” states the post published by Cisco Talos.

Vice Society ransomware has been active since June, it is considered by researchers a spin-off of the HelloKitty ransomware, the malware targets both Windows and Linux systems primarily belonging to small or midsize victims.

This group focuses on public school districts and other educational institutions, like other ransomware gangs it implements a double extortion model and publishes data stolen from the victims on a data leak site.

Talos experts published a list of the main interesting characteristics of the operations of the group:

• The use of utilities such as proxychains and impacket during the post-compromise phases of the attack lifecycle.
• The targeting of backups to prevent recovery following ransomware deployment.
• The degradation of ESXi servers used for virtualization in victim environments.
• The use of a DLL that takes advantage of the recently discovered PrintNightmare vulnerability for which Microsoft has previously released a security update.
• Attempts to bypass native Windows protections for credential theft and privilege escalation.

The gang quickly adapts its TTPs to exploit new vulnerabilities to avoid detection, for lateral movement, and to gain persistence on a victim’s network.

This week, CrowdStrike revealed to have recently observed a malicious activity associated with Magniber ransomware, a threat that has been active since 2017. In the recent wave of attacks, the threat actors attempted to trigger the PrintNighmare vulnerability on systems belonging to victims in South Korea.

“The use of the vulnerability known as PrintNightmare shows that adversaries are paying close attention and will quickly incorporate new tools that they find useful for various purposes during their attacks.” concludes Talos.

“Multiple distinct threat actors are now taking advantage of PrintNightmare, and this adoption will likely continue to increase as long as it is effective.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Windows)

[adrotate banner=”5″]

[adrotate banner=”13″]