Subscribe

PrintNightmare: More attacks on corporate networks predicted

Staff Writer
By Staff Writer, ITWeb
Johannesburg, 13 Aug 2021

In June 2021, researchers inadvertently published a proof of concept (PoC) exploit for a critical Windows Print Spooler vulnerability, dubbed PrintNightmare that enables users to gain access to corporate networks.

Kaspersky products protect against attacks leveraging these vulnerabilities and detects the malicious implant as:

HEUR:Exploit.Win32.CVE-2021-1675.*
HEUR:Exploit.Win32.CVE-2021-34527.*
HEUR:Exploit.MSIL.CVE-2021-34527.*
HEUR:Exploit.Script.CVE-2021-34527.*
HEUR:Trojan-Dropper.Win32.Pegazus.gen
PDM:Exploit.Win32.Generic
PDM:Trojan.Win32.Generic
Exploit.Win32.CVE-2021-1675.*
Exploit.Win64.CVE-2021-1675.*

Although a patch for the vulnerability has been released, the vast majority of users have not downloaded or installed it yet, and while the exploit was quickly taken off GitHub, some managed to download and republish it.

Evgeny Lopatin, security expert at Kaspersky, says the vulnerability is serious because it enables bad actors to gain access to other computers within an organisation's network. “Since the exploit is publicly available, a lot of fraudsters will take advantage of it. Therefore, we urge all users to apply the latest security updates for Windows,” he adds.

He says PrintNightmare can be used by attackers with a regular user account, to take control of vulnerable servers or client machines that run the Windows Print Spooler service.

It gives the attacker an opportunity to distribute and install malicious programs on a victim’s computer (including vulnerable domain controllers), as well as steal stored data and create new accounts with full user rights, he adds.

Once the first version of the PoC exploit became publicly available, researchers began to publish additional versions of this exploit.

The PrintNightmare vulnerability is also subject to exploitation in new modules of frameworks, such as Mimikatz and Metasploit.

As a result, Kaspersky experts predict a growing number of attempts to gain access to corporate resources using the PrintNightmare exploit, accompanied by the high risk of ransomware infection and data theft.

Share