Attackers eye vulnerabilities in Windows Print Spooler

Read time 2min 00sec

Researchers from Kaspersky say the number of attacks exploiting vulnerabilities in Windows Print Spooler have risen significantly over the past four months.

Despite Microsoft regularly releasing patches for its Print Spooler, software that manages the printing process, bad actors continue to actively exploit its vulnerabilities.

This enables attackers to distribute and install malware on victims’ computers that has the ability to take control of servers and machines, even without a special admin access, and steal stored data.

The most well-known vulnerabilities are CVE-2021-1675 and CVE-2021-34527, also called PrintNightmare, which were discovered in late June last year.

PrintNightmare was accidentally published by researchers as a proof of concept exploit for a critical Windows Print Spooler vulnerability, and was quickly removed from GitHub, although not before some users had managed to download and republish it.

Towards the end of April this year, a severe vulnerability (tracked as CVE-2022-22718) was also found in Windows Print Spooler. Although Microsoft had already issued a patch against this threat, the attackers were able to exploit this vulnerability and gain access to corporate resources.

Kaspersky researchers found that threat actors made some 65 000 attacks between July 2021and April 2022, with roughly 31 000 of these happening from January to April 2022.

This, says Kaspersky, suggests that vulnerabilities in Windows Print Spooler remain a popular attack route for cyber criminals, which means users need to be aware of any patches and fixes that Microsoft releases.

Alexey Kulaev, a security researcher at Kaspersky, says these vulnerabilities are a hotbed for emerging new threats.

“We anticipate a growing number of exploitation attempts to gain access to resources within corporate networks, accompanied by a high-risk of ransomware infection and data theft. Through some of these vulnerabilities, attackers can gain access not only to victims’ data but also to the whole corporate server.”

Kaspersky strongly recommends that users follow Microsoft’s guidelines and apply the latest Windows security updates and patches as soon as possible.

In addition, the company advises to perform regular security audits of their IT infrastructure to reveal any gaps and vulnerable systems, and use a protection solution for endpoints and mail servers with anti-phishing capabilities to decrease the chance of infection through phishing attempts.

See also