Flash Notice – The PrintNightmare Continues

Overview

On Patch Tuesday, Microsoft released yet another patch to address CVE-2021-34481 vulnerability in the PrintSpooler service – a service that runs on every computer participating in the Print Services system for Windows-based print clients. Rather than fixing the code vulnerability, which allowed attackers to install malware on printers and create new accounts, the patch restricts access to the Point and Print functionality by only giving access to users with administrative privileges.

On Exploit Wednesday, Benjamin Delpy, the creator of the widely used mimikatz red teaming tool, released another fully functioning exploit allowing any user to gain system-level privileges by taking advantage of flaws in the print spooler service. Microsoft later confirmed the exploit, assigning a new CVE-2021-36958.

These disappointing developments coincide with reports of ransomware groups exploiting the PrintNightmare family of vulnerabilities in the wild. A recently leaked playbook from the Conti ransomware organization indicates that “the vulnerability is fresh but already sensational. [Conti] will use it until we shut it down.” There are also reports of the Magniber ransomware gang exploiting the vulnerability in targeted attacks against South Korea.

How Avertium is Protecting Our Clients

SIEM and EDR rules deployed the weekend of July 4th should still be effective in detecting exploitation of this vulnerability. Additional detection rules will deploy as necessary.

Recommendations

• Restrict devices to only install printers from authorized servers via Group Policy, by enabling User Configuration > Administrative Templates > Control Panel > Printers > Package Point and Print – Approved Servers and entering a list of approved print servers.
• Package Point and Print Server List
• Take this opportunity to Go Green by permanently disabling printing across your entire organization.

References

• https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958

• https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-another-windows-print-spooler-zero-day-bug/
• https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html
• https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-prsod/7262f540-dd18-46a3-b645-8ea9b59753dc
• https://www.zdnet.com/article/microsoft-fixes-windows-10-printnightmare-flaw-with-this-update/
• https://therecord.media/printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang/
• https://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/
• https://github.com/gentilkiwi/mimikatz/tree/master/mimispool#protect

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.