Much has been made of the vulnerabilities recently discovered in the Windows Print Spooler Service and Microsoft’s patches for the issue. Now, systems that remain unpatched are being attacked by ransomware operators.
In a new report, Cisco Talos says a threat actor is exploiting those vulnerabilities – dubbed PrintNightmare – to spread laterally across a network and deploy ransomware.
The company singled out threat actor Vice Society, a relatively new ransomware operator that emerged just this year, but multiple threat actors view the PrintNightmare vulnerabilities as an attractive attack vector.
“Talos Incident Response’s research demonstrates that multiple, distinct threat actors view this vulnerability as attractive to use during their attacks and may indicate that this vulnerability will continue to see more widespread adoption and incorporation by various adversaries moving forward,” the firm said in its report.
This particular group targets small or midsize victims, including public school districts and other educational organizations. They are quick to use new vulnerabilities for lateral movement and persistence, which makes patching vulnerabilities like PrintNightmare critical.
Read Next: What IT Pros Need To Know About The PrintNightmare Vulnerability
For indicators of compromise and more technical analysis, read Cisco Talos’ blog.
This comes after a separate report from CrowdStrike last month that said the Magniber ransomware gang is exploiting PrintNightmare to escalate privileges and distribute malware.
According to Cisco Talos, the increasing use of PrintNightmare shows that adversaries are following vulnerability disclosures and will jump at the opportunity to leverage these vulnerabilities in their attacks.
Now, “multiple distinct threat actors” are taking advantage of PrintNightmare, and this trend will likely increase if systems remain unpatched.
“It is important that defenders be aware of the various TTPs being used throughout the attack lifecycle so that they are prepared to prevent, detect, and respond to nefarious activity that may be indicative of a successful compromise of their environment,” Cisco Talos’ report said. “Failure to do so could result in widespread operational disruption, reputational damage, and the loss of confidentiality of sensitive information.”
There are now multiple vulnerabilities associated with Windows Print Spooler Service, so make sure your systems are fully patched by implementing Microsoft’s security patches released earlier this week and patch another zero day vulnerability discovered this week.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply