Magniber, Vice Society and other cybercriminal gangs have been observed exploiting vulnerabilities present in Windows Print Spooler in order to infect user devices with lethal ransomware.
It is now expected that more ransomware operators are likely to follow suit and attempt to take advantage of any unpatched networks that have failed to fix the vulnerabilities, which have been dubbed “PrintNightmare”.
Exploiting vulnerabilities to leverage ransoms
The Microsoft service Windows Print Spooler is enabled automatically in all devices of Windows and is employed to replicate data in between different enterprise devices in order to manage print jobs. However, identified remote code execution-type vulnerabilities that are now tracked as CVE-2021-1675 and CVE-2021-34527 were found in the service, giving attackers the ability to administer arbitrary code, which in turn allowed the cybercriminals to install their own chosen programs, delete or modify data, make new accounts with maximum user privileges and also move laterally across enterprise networks.
The weakness, commonly known as PrintNightmare, caught the eye of several ransomware groups that were keen to seize the opportunity to exploit any network that has not yet patched the vulnerabilities. Ransomware outfits have been using the weakness to compromise enterprise networks, encrypting data records and servers before making demands of a ransom payment to their victims in return for the dedicated decryption key.
Among the gangs is Vice Society. A fairly new face on the ransomware landscape, the outfit first emerged in June and has earned a name for itself conducting human-operated, hands-on campaigns against victims. The gang has earned a reputation for being swift to exploit newly identified security vulnerabilities that make ransomware attacks easier. For this reason, it comes as little surprise that cybersecurity researchers based at Cisco Talos have discovered Vice Society has been using PrintNightmare to compromise networks in its attacks.
Like other ransomware gangs, Vice Society employs the infamous double extortion tactics, stealing confidential or critical data from targets and then threatening to release it online if a ransom payment isn’t forthcoming. According to researchers at Cisco Talos, the gang has, to date, focused its attention on small to medium-sized targets in the education sector, like schools and colleges.
A breeding ground for cyberattacks
The common adoption of Windows systems in educational environments has supplied Vice Society with plenty of targets to exploit PrintNightmare vulnerabilities when users have not patched them, allowing the gang to infiltrate networks and serve ransomware payloads.
In a recent blog post, researchers from Cisco Talos commented on the attacks using the weaknesses:
“The use of the vulnerability known as PrintNightmare shows that adversaries are paying close attention and will quickly incorporate new tools that they find useful for various purposes during their attacks. Multiple distinct threat actors are now taking advantage of PrintNightmare, and this adoption will likely continue to increase as long as it is effective.”
Operating since 2017, Magniber is another ransomware gang documented to be using the vulnerabilities to its advantage. CrowdStrike security researchers uncovered the group’s use of the weaknesses and found the bulk of the cybercriminal campaigns were aimed at South Korea.