CVE-2021-34527

Vulnerability Profile Updated a month ago
Download STIX
Preview STIX
CVE-2021-34527, also known as PrintNightmare, is a software vulnerability that involves a flaw in software design or implementation. The exploitation process begins when a user clicks on a link which downloads a ZIP archive containing a malicious JScript (JS) downloader titled 'Stolen Images Evidence.js' or 'DDoS attack proof and instructions on how to fix it.js.' This JS file then contacts a URL on newly created domains to download BazarLoader, which subsequently downloads Cobalt Strike and a PowerShell script designed to exploit the PrintNightmare vulnerability. In addition to CVE-2021-34527, the exploitation of another vulnerability named Follina (CVE-2022-30190) has also been reported. While Russian threat actors have been known to exploit a set of similar vulnerabilities including PrintNightmare (CVE-2021-34527 and CVE-2021-1675), the recent discovery of the use of GooseEgg in Forest Blizzard operations marks a unique development in this landscape. This discovery had not been previously reported by security providers. The report suggests that these vulnerabilities are being exploited to gain unauthorized access to systems and potentially compromise sensitive information. As such, it is crucial for organizations to apply patches and updates promptly to mitigate the risk of exploitation. Increased vigilance is required to monitor for suspicious activity and potential indicators of compromise associated with these vulnerabilities.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Printnightmare
3
PrintNightmare (CVE-2021-34527) is a significant vulnerability in the Windows Print Spooler service that allows an attacker to escalate privileges either locally or remotely by loading a malicious DLL which will be executed as SYSTEM. This flaw, potentially a new zero-day Microsoft vulnerability, en
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Windows
Ddos
Vulnerability
Russia
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Black BastaUnspecified
1
Black Basta is a notorious malware entity known for its ransomware attacks on numerous organizations globally. The Russian-speaking group has affected over 500 organizations across various sectors, including automotive, outsourcing, public services, government, healthcare, and telecommunications. No
Conti’sUnspecified
1
None
BazarloaderUnspecified
1
BazarLoader is a form of malware that has been utilized extensively by ITG23, a cybercriminal group. This harmful software infiltrates systems via suspicious downloads, emails, or websites, potentially stealing personal information, disrupting operations, or holding data for ransom. ITG23 has used B
ContiUnspecified
1
Conti is a type of malware, specifically ransomware, that was used to exploit and damage computer systems. This malicious software could infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it could steal personal information, disrupt ope
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Forest BlizzardUnspecified
1
Forest Blizzard, also known as APT28, Fancy Bear, and Strontium, is a threat actor linked to the Russian General Staff Main Intelligence Directorate (GRU) and the 85th Main Special Service Center (GTsSS). The group has been involved in persistent espionage campaigns against European countries, which
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Printnightmare Cve-2021-34527Unspecified
3
PrintNightmare (CVE-2021-34527) is a significant software vulnerability that was identified and reported in 2021. It is a flaw in the design or implementation of Microsoft's Windows Print Spooler service, which can be exploited for local and Windows Active Domain privilege escalation. This allows at
ZerologonUnspecified
1
Zerologon is a critical elevation of privilege vulnerability (CVE-2020-1472) within Microsoft’s Netlogon Remote Protocol, affecting all versions of Windows Server OS from 2008 up to the latest available from Microsoft. This flaw in software design or implementation allows an attacker to establish a
ProxylogonUnspecified
1
ProxyLogon is a notable software vulnerability that surfaced in the cybersecurity landscape. It was part of an exploit chain, including CVE-2021-26855, a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. This flaw allowed attackers to bypass authentication mechanisms and
FollinaUnspecified
1
Follina, also known as CVE-2022-30190, is a notable software vulnerability that was discovered and exploited in the first half of 2022. This flaw, found in the Microsoft Windows Support Diagnostic Tool (MSDT), was weaponized by TA413, a cyber threat actor group with suspected ties to China. The grou
CVE-2021-1675Unspecified
1
None
CVE-2022-38028Unspecified
1
None
CVE-2022-30190Unspecified
1
CVE-2022-30190, also known as the "Follina" vulnerability, is a high-risk software flaw in the Microsoft Support Diagnostic Tool that allows for remote code execution. This 0-day vulnerability was disclosed in May 2022 and has since been exploited by threat actors, including TA413, who weaponized it
Source Document References
Information about the CVE-2021-34527 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem
CERT-EU
a year ago
X-Force Prevents Zero Day from Going Anywhere
CERT-EU
a year ago
Top Threatening Network Vulnerability in 2023
MITRE
6 months ago
Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
Fortinet
a year ago
Ransomware Roundup - Black Basta | FortiGuard Labs
CERT-EU
a year ago
Windwos Print Spooler 权限提升漏洞 - FreeBuf网络安全行业门户
CERT-EU
a year ago
Cybersecurity threatscape: year 2021 in review
InfoSecurity-magazine
2 months ago
Russian APT28 Group in New “GooseEgg” Hacking Campaign
CISA
a month ago
#StopRansomware: Black Basta | CISA