FR Design - stock.adobe.com
Microsoft's high-profile PrintNightmare vulnerabilities are being exploited by a newly formed ransomware group.
According to Cisco Talos, the two bugs, which can allow attackers to chain together a remote code execution exploit, are being wielded against networks by Vice Society. The group is a lesser-known ransomware crew that prefers targeting schools and academic networks.
"Vice Society is a relatively new player in the ransomware space," explained Cisco Talos researchers Edmund Brumaghin, Joe Marshall and Arnaud Zobec in a blog post. "They emerged in mid-2021 and have been observed launching big-game hunting and double-extortion attacks, primarily targeting small or midsize victims."
The PrintNightmare bugs, CVE-2021-1675 and CVE-2021-34527, affect Microsoft's print spooler service within Windows systems. The vulnerabilities are not being used as the initial access point, but rather they are being exploited for lateral movement as the attackers jump from system to system in their effort to get at valuable databases and servers.
Like many other modern ransomware crews, Vice Society uses the two-pronged technique of not only encrypting its victim's data, but also threatening to make the pilfered information public should a target not pay the ransom by a set deadline. This helps convince victims not to try and avoid the extortion by simply restoring from a backup.
According to Cisco Talos, Vice Society looks to take this concept a step further by actively seeking out and deleting any backups it can find. Doing so removes the victim's option to just wipe and restore infected systems.
"We observed attempts to access the backup solution employed in the environment, likely to prevent the organization from successfully recovering without paying the demanded ransom," explained the Cisco Talos researchers.
"The 'sudo' command was used to obtain credentials associated with a commercial backup solution, likely trying to gain access to backups present within the environment."
Microsoft dispatched an update to address the PrintNightmare bug last month, but the flaws remain exposed in many enterprise, government and academic networks where new updates need to be tested and administrators are sometimes months behind on patching. It is recommended that users and admins get the fixes implemented as soon as possible.
While the group is a relatively new name in the ransomware space, it is possible some of its members have previously operated as part of other ransomware groups, thanks to the growing network of investment and cooperation amongst ransomware crews.