Printnightmare

Vulnerability updated 3 months ago (2024-05-29T01:17:35.527Z)
Download STIX
Preview STIX
PrintNightmare (CVE-2021-34527) is a significant vulnerability in the Windows Print Spooler service that allows an attacker to escalate privileges either locally or remotely by loading a malicious DLL which will be executed as SYSTEM. This flaw, potentially a new zero-day Microsoft vulnerability, enables any authenticated attacker to remotely execute code with SYSTEM privileges on any machine that has the Windows Print Spooler service enabled, which is the default setting. The exploitation of this vulnerability, along with another known as Follina (CVE-2022-30190), has been reported, highlighting the severity and widespread nature of these security risks. The Black Basta affiliates have exploited this vulnerability, among others, for privilege escalation. They've used credential scraping tools like Mimikatz, Zerologon, NoPac, and PrintNightmare. According to cybersecurity researchers, Black Basta affiliates also exploited ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278 and CVE-2021-42287), and PrintNightmare vulnerabilities for local and Windows Active Domain privilege escalation. These exploits are part of their advanced intrusion techniques, which also include the QakBot banking Trojan. By September, they had breached over ninety networks using these methods. Black Basta's use of these vulnerabilities has significant implications, especially considering their employment of double extortion ransomware. Because ZeroLogon, PrintNightmare, and PetitPotam allow an attacker to obtain privileged access to Active Directory without credential harvesting or lateral movement, it significantly simplifies the ransomware attack path. As such, X-Force observed their use in multiple ransomware attacks. The group's ability to exploit known vulnerabilities such as ZeroLogon, NoPac, and PrintNightmare to escalate privileges within the network underscores the urgent need for robust cybersecurity measures to protect against these threats.
Description last updated: 2024-05-29T01:16:58.644Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
CVE-2021-34527
3
CVE-2021-34527, also known as PrintNightmare, is a software vulnerability that involves a flaw in software design or implementation. The exploitation process begins when a user clicks on a link which downloads a ZIP archive containing a malicious JScript (JS) downloader titled 'Stolen Images Evidenc
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Windows
Vulnerability
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
LogjamUnspecified
2
Logjam is a notorious malware that has been identified as a significant threat to network security. It exploits vulnerabilities in systems by tricking network clients into using weakened encryption modes, known as EXPORT ciphers. This type of "downgrade problem" was initially observed in 2015 when r
Contihas used
2
Conti is a notorious malware and ransomware operation that has caused significant damage to computer systems worldwide. The Conti group, believed to have around 200 employees, operated like a regular business, with internal communications revealing the organization's structure and operations. It was
Black BastaUnspecified
2
Black Basta is a notorious malware group known for its ransomware activities. The group has been active since at least early 2022, during which time it has accumulated an estimated $107 million in Bitcoin ransom payments. It leverages malicious software to infiltrate and exploit computer systems, of
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
HeartbleedUnspecified
2
Heartbleed is a significant vulnerability (CVE-2014-0160) in the OpenSSL cryptographic software library, which was first identified and became widely known in 2014. It is a flaw in software design or implementation that allows attackers to read server memory and extract sensitive information, a proc
ZerologonUnspecified
2
Zerologon, also known as CVE-2020-1472, is a critical vulnerability within Microsoft's Netlogon Remote Protocol that affects all versions of Windows Server OS from 2008 onwards. The flaw allows attackers to bypass authentication mechanisms and alter computer passwords within a domain controller's Ac
Source Document References
Information about the Printnightmare Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
3 months ago
An Argument for Coordinated Disclosure of New Exploits
Flashpoint
3 months ago
From Origins to Operations: Understanding Black Basta Ransomware
CISA
4 months ago
#StopRansomware: Black Basta | CISA
CERT-EU
a year ago
X-Force Prevents Zero Day from Going Anywhere
Fortinet
a year ago
Ransomware Roundup - Black Basta | FortiGuard Labs
CERT-EU
8 months ago
The Top 10 Ransomware Groups of 2023
CERT-EU
8 months ago
Examples of Past and Current Attacks | #ransomware | #cybercrime | National Cyber Security Consulting
Krebs on Security
2 years ago
Microsoft Patch Tuesday, January 2023 Edition
CERT-EU
a year ago
Top Threatening Network Vulnerability in 2023
CERT-EU
2 years ago
North Korean hackers stole research data in two-month-long breach
DARKReading
2 years ago
Critical RCE Lexmark Printer Bug Has Public Exploit
CERT-EU
a year ago
View the latest outbreak alerts on cyber-attacks | FortiGuard Labs