Kaspersky experts predict growing number of attacks on corporate networks using PrintNightmare vulnerability
Last week, researchers accidentally published a proof of concept (PoC) exploit for a critical Windows Print Spooler vulnerability, also known as PrintNightmare that allows users to gain access to corporate networks. While the patch for the vulnerability has been released, the vast majority of users have yet to download and install it. Even though the exploit was quickly removed from GitHub, some users managed to download and republish it.
Following that, PrintNightmare may be used by cybercriminals with a regular user account, to take control of a vulnerable server or client machine that runs the Windows Print Spooler service. It gives the attacker an opportunity to distribute and install malicious programs on a victim’s computer (including vulnerable domain controllers), as well as steal stored data and create new accounts with full user rights.
After the first version of the PoC exploit became publicly available, researchers began to publish other versions of this exploit. The PrintNightmare vulnerability is also subject to exploitation in new modules of frameworks, such as Mimikatz and Metasploit. As a result, Kaspersky experts anticipate a growing number of attempts to gain access to corporate resources using the PrintNightmare exploit, accompanied by the high risk of ransomware infection and data theft.
“This vulnerability is indeed serious because it allows cybercriminals to gain access to other computers within an organization’s network. Since the exploit is publicly available, a lot of fraudsters will take advantage of it. Therefore, we urge all users to apply the latest security updates for Windows,” comments Evgeny Lopatin, security expert at Kaspersky.
Kaspersky products protect against attacks leveraging these vulnerabilities and detects the malicious implant as:
HEUR:Exploit.Win32.CVE-2021-1675.*
HEUR:Exploit.Win32.CVE-2021-34527.*
HEUR:Exploit.MSIL.CVE-2021-34527.*
HEUR:Exploit.Script.CVE-2021-34527.*
HEUR:Trojan-Dropper.Win32.Pegazus.gen
PDM:Exploit.Win32.Generic
PDM:Trojan.Win32.Generic
Exploit.Win32.CVE-2021-1675.*
Exploit.Win64.CVE-2021-1675.*