The Vice Society ransomware gang is now also actively exploiting Windows print spooler PrintNightmare vulnerability for lateral movement through their victims’ networks.
PrintNightmare is a set of recently disclosed security flaws (tracked as CVE-2021-1675, CVE-2021-34527, and CVE-2021-36958) found to affect the Windows Print Spooler service, Windows print drivers, and the Windows Point and Print feature.
Microsoft has released security updates to address the CVE-2021-1675 and CVE-2021-34527 bugs in June, July, and August, and has also published a security advisory this week with a workaround for CVE-2021-36958 (a zero-day bug allowing privilege escalation).
Attackers can abuse this set of security flaws for local privilege escalation (LPE) or distributing malware as Windows domain admins via remote code execution (RCE) with SYSTEM privileges.
PrintNightmare added to Vice Society’s arsenal Recently, Cisco Talos researchers observed Vice Society ransomware operators deploying a malicious Dynamic-link library (DLL) to exploit two PrintNightmare flaws (CVE-2021-1675 and CVE-2021-34527).
Vice Society ransomware (likely a HelloKitty spin-off) encrypts both Windows and Linux systems using OpenSSL (AES256 + secp256k1 + ECDSA), as ransomware expert Michael Gillespie found in mid-June when the first samples surfaced.
The Vice Society gang mainly targets small or midsize victims in human-operated double-extortion attacks, with a notable focus on public school districts and other educational institutions.