What you can do about the Windows Print Spooler vulnerability.
For a decade, the Windows Print Spooler service has suffered several vulnerabilities. Recently, another problem popped up in the printer software—now officially known as “PrintNightmare.”
“PrintNightmare” stepped into the spotlight when organizations such as the US Cybersecurity & Infrastructure Security Agency (CISA) and CERT Coordination Center (CERT CC) started declaring that urgent action was needed to combat this vulnerability.
These agencies advised, at first, to disable Print Spooler services across all Windows critical systems. After these announcements, some speculated this flaw to be a previous issue that was fixed already.
Later it was determined that “PrintNightmare” was a separate flaw entirely.
After the initial announcement of this new vulnerability, Microsoft issued an emergency patch update on July 6 and advised organizations to apply it as soon as possible.
The next evolution of cyber attack—“living off the land”—is here. Its stealthy nature makes both the attack and the attacker undetectable.
You are aware that corrupted files can damage your company’s online systems and networks. But you may not know about a new breed of digital bugs that behaves like parasites, living off the land (LotL). And they can hide in your systems for years.
The newest forms of malware fly under the radar of network security software. Cyber attackers “live off the land” by using your computer system as their secret hidden base. Cybersecurity software can detect malicious files easily. These new attackers are fileless and almost impossible to detect.
“Living Off the Land” Attacks Are Mainstream
Christopher Campbell and Matt Graeber coined the phrase “living off the land” in 2013. Fileless malware can hide within your system. This hidden malware compromises your system so that threats become undetectable. Recently, these attacks have become more common and sophisticated.
Fileless attacks have become mainstream. Cybercriminals use a variety of methods to “live off the land.” They quietly infiltrate and corrupt your system. By using popular malware like Astaroth, POSHSPY, or POWRUNER, these attackers remain invisible.
What Does LotL Look Like?
Attackers will corrupt the legitimate tools and utilities within your system. For example, they can damage your system by manipulating
- PowerShell scripts
- Visual Basic scripts
- Mimikatz
This changes entire systems for criminal purposes. Their crimes can include:
- DLL hijacking
- Hiding payloads
- Stealing files
- Log evasion
- Code execution
Anti-ransomware programs don‘t work on encrypted files. Criminals can hide ransomware from users and protection software. Cybercriminals use NTFS Alternate Data Streams to bury malware. Attackers insert malicious code into trusted processes so it goes undetected.
What is “PrintNightmare” exactly?
“PrintNightmare” is a vulnerability in the Windows Print Spooler service. It is a critical remote code execution vulnerability (RCE), and it fails to stop access for installing printer drivers on Windows operating systems.
This vulnerability exists across all Windows versions that utilize the Print Spooler service, an interface between the operating system and a printer. The Spooler service handles the loading of printer drivers and the buffering, queuing, and ordering of printing jobs.
This Spooler service acts as a print client, admin client, and print server. The “PrintNightmare” vulnerability then grants system-level access to attackers accessing the admin client through the Spooler service.
Once attackers gain access to the core domain controllers and the Active Directory admin servers, they can run arbitrary code and download malware. Also, they can view, change, and delete data—with the ability to create new user accounts.
This extremely vulnerable flaw grants an attacker the ability to take over the Active Directory, resulting in the complete loss of integrity, availability, and confidentiality.
What to do about “PrintNightmare”?
According to ExtraHop, up to 93% of Print Spooler service environments could be vulnerable to “PrintNightmare”, and ExtraHop believes it to be the most severe security flaw since SolarWinds.
Luckily, right after “PrintNightmare” came to be known, Microsoft released a security update patch and provided multiple ways to combat this vulnerability. One of these ways to combat this flaw is, of course, to immediately apply the security patch.
Minimize the Risk of LotL Attacks
Protection software usually ignores processes that appear legitimate. LotL attacks appear sudden because they’re usually executed inside trusted components. It’s hard to avoid LotL attacks and difficult to identify the attacker.
To protect your systems, turn off or remove unnecessary components. Use behavioral analytics software and multi-factor authentication to monitor your system. Be wary when clicking on random email links and opening attachments. Never let your guard down.
Another way to head off attackers is to disable the existing Print Spooler software, although this leaves you unable to do local or remote printing.
However, if you need to use your printer, you can still combat the flaw by physically plugging the printer into your Windows computer and disabling inbound remote printing. This will close your operating system off from remote attackers trying to infiltrate your system.
One other way advised by Microsoft is to reduce the printing rights of as many users as possible on your computer. This reduction of printing rights is beneficial if multiple people use computer, such as in an office setting.
Spending a lot of time online exposes you to these “living off the land” attacks. Corporations are the most susceptible to such cyber attacks. Be sure your computer system’s protective software is working properly. Stay current on all system updates and upgrades.
Cyber attackers never sleep. Stay vigilant and alert to protect your business. Construction companies, general contractors, vendors, etc. are prime targets. Their computer systems are often less secure or aren‘t updated often enough.
GLXY Software Solutions offers the latest technologies to secure your system. Reach out to us at any time to discuss the many ways we can protect your company’s online and offline systems.
Share This Story, Choose Your Platform!
Let’s have a 15-minute video call
We are now taking on new clients.