Microsoft’s high-profile PrintNightmare vulnerabilities are being exploited by a newly-formed ransomware group.
According to Cisco Talos, the two bugs, which can allow attackers to chain together a remote code execution exploit, are being wielded against networks by Vice Society, a lesser-known ransomware crew that prefer targeting schools and academic networks.
“Vice Society is a relatively new player in the ransomware space,” explained Cisco Talos researchers Edmund Brumaghin, Joe Marshall, and Arnaud Zobec in a blog post. “They emerged in mid-2021 and have been observed launching big-game hunting and double-extortion attacks, primarily targeting small or midsize victims.”
The PrintNightmare bugs, CVE-2021-1675 and CVE-2021-34527, affect Microsoft’s print spooler service within Windows systems. The vulnerabilities are not being used as the initial access point, but rather are being exploited for lateral movement as the attackers jump from system to system in their effort to get at valuable databases and servers.
As many other modern ransomware crews, Vice Society uses the two-pronged technique of not only encrypting their victim’s data, but also threatening to make the pilfered information public should their target not pay up by a set deadline. This helps convince the victims not to try and avoid the extortion by simply restoring from a backup.
Cisco Talos notes that Vice Society looks to take this concept a step further by actively seeking out and deleting any backups they can find, taking away the victim’s option to just wipe their infected systems and restore.
“We observed attempts to access the backup solution employed in the environment, likely to prevent the organization from successfully recovering without paying the demanded ransom,” noted the Cisco Talos researchers.
“The ‘sudo’ command was used to obtain credentials associated with a commercial backup solution, likely trying to gain access to backups present within the environment.”
Microsoft dispatched an update to address the PrintNightmare bug last month, but in many cases the flaws remain exposed in many enterprise, government and academic networks where new updates need to be tested and administrators are sometimes months behind on patching. It is recommended that users and admins get the fixes implemented as soon as possible.
Though the group is a relatively new name in the ransomware space, it is entirely possible that some members of the group have previously operated as part of other ransomware groups, thanks to the growing network of investment and cooperation amongst ransomware crews.