Printnightmare

Vulnerability Profile Updated 2 months ago
Download STIX
Preview STIX
PrintNightmare (CVE-2021-34527) is a significant vulnerability in the Windows Print Spooler service that allows an attacker to escalate privileges either locally or remotely by loading a malicious DLL which will be executed as SYSTEM. This flaw, potentially a new zero-day Microsoft vulnerability, enables any authenticated attacker to remotely execute code with SYSTEM privileges on any machine that has the Windows Print Spooler service enabled, which is the default setting. The exploitation of this vulnerability, along with another known as Follina (CVE-2022-30190), has been reported, highlighting the severity and widespread nature of these security risks. The Black Basta affiliates have exploited this vulnerability, among others, for privilege escalation. They've used credential scraping tools like Mimikatz, Zerologon, NoPac, and PrintNightmare. According to cybersecurity researchers, Black Basta affiliates also exploited ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278 and CVE-2021-42287), and PrintNightmare vulnerabilities for local and Windows Active Domain privilege escalation. These exploits are part of their advanced intrusion techniques, which also include the QakBot banking Trojan. By September, they had breached over ninety networks using these methods. Black Basta's use of these vulnerabilities has significant implications, especially considering their employment of double extortion ransomware. Because ZeroLogon, PrintNightmare, and PetitPotam allow an attacker to obtain privileged access to Active Directory without credential harvesting or lateral movement, it significantly simplifies the ransomware attack path. As such, X-Force observed their use in multiple ransomware attacks. The group's ability to exploit known vulnerabilities such as ZeroLogon, NoPac, and PrintNightmare to escalate privileges within the network underscores the urgent need for robust cybersecurity measures to protect against these threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
CVE-2021-34527
3
CVE-2021-34527, also known as PrintNightmare, is a software vulnerability that involves a flaw in software design or implementation. The exploitation process begins when a user clicks on a link which downloads a ZIP archive containing a malicious JScript (JS) downloader titled 'Stolen Images Evidenc
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Windows
Exploit
Vulnerability
Ransomware
Malware
Extortion
Lateral Move...
T1068
Microsoft
Exploits
Zero Day
Poc
Remote Code ...
Trojan
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Black BastaUnspecified
2
Black Basta is a notorious malware entity known for its devastating ransomware attacks. First emerging in June 2022, the group has since been associated with a series of high-profile cyber-attacks worldwide. This malware, like others, infiltrates systems through suspicious downloads, emails, or webs
LogjamUnspecified
2
Logjam is a notorious malware that has been identified as a significant threat to network security. It exploits vulnerabilities in systems by tricking network clients into using weakened encryption modes, known as EXPORT ciphers. This type of "downgrade problem" was initially observed in 2015 when r
WannaCryUnspecified
1
WannaCry is a type of malware, specifically ransomware, that caused significant global disruption in 2017. It exploited Windows SMBv1 Remote Code Execution Vulnerabilities (CVE-2017-0144, CVE-2017-0145, CVE-2017-0143), which allowed it to spread rapidly and infect over 200,000 machines across more t
QakBotUnspecified
1
Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
ContiUnspecified
1
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ZerologonUnspecified
2
Zerologon is a critical vulnerability (CVE-2020-1472) found within Microsoft's Netlogon Remote Protocol, impacting all versions of Windows Server OS from 2008 onwards. This flaw in software design or implementation allows attackers to bypass authentication mechanisms and change computer passwords wi
HeartbleedUnspecified
2
Heartbleed is a significant vulnerability (CVE-2014-0160) that was identified in the OpenSSL cryptographic software library in 2014. This flaw allows an attacker to read server memory and send additional data, leading to potential information leaks – hence the term "bleeding out data". The vulnerabi
ProxylogonUnspecified
1
ProxyLogon is a notable software vulnerability that surfaced in the cybersecurity landscape. It was part of an exploit chain, including CVE-2021-26855, a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. This flaw allowed attackers to bypass authentication mechanisms and
CVE-2022-30190Unspecified
1
CVE-2022-30190, also known as the "Follina" vulnerability, is a high-risk software flaw in the Microsoft Support Diagnostic Tool that allows for remote code execution. This 0-day vulnerability was disclosed in May 2022 and has since been exploited by threat actors, including TA413, who weaponized it
CVE-2020-1472Unspecified
1
CVE-2020-1472, also known as the ZeroLogon vulnerability, is a critical-severity privilege escalation flaw in Microsoft's Netlogon Remote Protocol. It was patched by Microsoft on August 11, 2020. This vulnerability allows attackers to gain administrative access to a Windows domain controller without
CVE-2021-42278Unspecified
1
None
CVE-2021-42287Unspecified
1
None
Source Document References
Information about the Printnightmare Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
2 months ago
An Argument for Coordinated Disclosure of New Exploits
Flashpoint
2 months ago
From Origins to Operations: Understanding Black Basta Ransomware
CISA
2 months ago
#StopRansomware: Black Basta | CISA
CERT-EU
a year ago
X-Force Prevents Zero Day from Going Anywhere
Fortinet
a year ago
Ransomware Roundup - Black Basta | FortiGuard Labs
CERT-EU
6 months ago
The Top 10 Ransomware Groups of 2023
CERT-EU
6 months ago
Examples of Past and Current Attacks | #ransomware | #cybercrime | National Cyber Security Consulting
Krebs on Security
a year ago
Microsoft Patch Tuesday, January 2023 Edition
CERT-EU
a year ago
Top Threatening Network Vulnerability in 2023
CERT-EU
a year ago
North Korean hackers stole research data in two-month-long breach
DARKReading
a year ago
Critical RCE Lexmark Printer Bug Has Public Exploit
CERT-EU
a year ago
View the latest outbreak alerts on cyber-attacks | FortiGuard Labs