Ransomware Gangs Exploiting Windows Print Spooler Vulnerabilities

Ransomware operators these types of as Magniber and Vice Society are actively exploiting vulnerabilities in Windows Print Spooler to compromise victims and unfold laterally across a victim’s network to deploy file-encrypting payloads on focused techniques.

“A number of, unique risk actors look at this vulnerability as attractive to use in the course of their attacks and could show that this vulnerability will continue on to see more popular adoption and incorporation by various adversaries moving ahead,” Cisco Talos mentioned in a report printed Thursday, corroborating an independent investigation from CrowdStrike, which observed occasions of Magniber ransomware bacterial infections concentrating on entities in South Korea.

Stack Overflow Teams

When Magniber ransomware was first spotted in late 2017 singling out victims in South Korea via malvertising campaigns, Vice Society is a new entrant that emerged on the ransomware landscape in mid-2021, principally concentrating on general public school districts and other educational institutions. The attacks are claimed to have taken spot due to the fact at least July 13.

Because June, a collection of “PrintNightmare” issues impacting the Home windows print spooler provider has appear to light that could empower remote code execution when the part performs privileged file functions –

  • CVE-2021-1675 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on June 8)
  • CVE-2021-34527 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on July 6-7)
  • CVE-2021-34481 – Home windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)
  • CVE-2021-36936 – Home windows Print Spooler Distant Code Execution Vulnerability (Patched on August 10)
  • CVE-2021-36947 – Windows Print Spooler Distant Code Execution Vulnerability (Patched on August 10)
  • CVE-2021-34483 – Home windows Print Spooler Elevation of Privilege Vulnerability (Patched on August 10)
  • CVE-2021-36958 – Windows Print Spooler Distant Code Execution Vulnerability (Unpatched)

CrowdStrike noted it was ready to productively avert makes an attempt manufactured by the Magniber ransomware gang at exploiting the PrintNightmare vulnerability.

Prevent Ransomware Attacks

Vice Modern society, on the other hand, leveraged a assortment of tactics to conduct submit-compromise discovery and reconnaissance prior to bypassing native Windows protections for credential theft and privilege escalation.


Exclusively, the attacker is considered to have utilised a malicious library connected with the PrintNightmare flaw (CVE-2021-34527) to pivot to many techniques throughout the environment and extract credentials from the victim.

“Adversaries are regularly refining their solution to the ransomware attack lifecycle as they strive to run a lot more effectively, successfully, and evasively,” the researchers explained. “The use of the vulnerability recognized as PrintNightmare displays that adversaries are paying close notice and will promptly integrate new resources that they obtain valuable for many applications during their attacks.”

Fibo Quantum