News from our Cybersecurity Expert Center

 

 

We bring you the latest news and alerts detected from Cybersecurity.

Connect with us by siainfo@sia.es

  •  

      Share in:

Outstanding cybersecurity news

Vulnerabilities

Atlassian patches critical vulnerability in Jira Data Center products

 

  bleepingcomputer.com

 

Dell Fixes Multiple Critical Vulnerabilities in OpenManage Enterprise Products

 

securityweek.com

Malware

Phoenix CryptoLocker operators compromise CNA network via fake browser update

 

  bleepingcomputer.com

 

Japanese computers targeted by Wiper malware

 

  therecord.media

Cybersecurity

Kaseya obtains universal decryptor for REvil ransomware victims

 

cyberscoop.com

 

South African port of Cape Town suffers cyberattack that disrupts South Africa's major port operations

 

  itnews.com.au

Latest threats detected

New Zero-day Windows print spooler exploitable through remote print servers

19/7/2021

Executive Summary

 

A new zero-day vulnerability has been publicly disclosed that allows an attacker to gain SYSTEM privileges on a Windows machine via a remote print server.

Data

 

Type:

 

TLP:

 

Targets:

 

Affected assets:

 

Attack vector:

 

Tags:

 

Hacking

 

White

 

Multiple

 

Windows Systems

 

Vulnerability

 

CVE-2021-34527, PrintSpooler, Printnightmare, Windows, zero-day

Overview

 

Last month a zero-day vulnerability (CVE-2021-34527) was accidentally published in Windows Print spooler, known as PrintNightmare. Microsoft released a security update to fix the vulnerability, but some researchers concluded that the patch could be circumvented under certain conditions.

 

Today, security researcher and creator of Mimikatz, Benjamin Delpy, has publicly disclosed a new zero-day vulnerability in Windows Print Spooler that gives an attacker administrator privileges on a Windows machine via a remote server under his control.

 

Researcher Delpy reported that it made use of the 'Queue-Specific Files' feature of Windows Point and Print. Point and Print is a term that refers to the ability to allow a user on a Windows 2000 or higher client to create a connection to a remote printer without providing disks or other installation media to do so. All necessary files and configuration information are automatically downloaded from the client's print server.

 

The researcher makes use of this feature to automatically download and execute a malicious DLL when a client connects to the print server that is under the control of an attacker.

 

To exploit this vulnerability, the researcher created an Internet-accessible print server with two shared printers that use the queue-specific files function discussed above.

 

When the malicious DLL is executed, it will run with SYSTEM privileges and can be used to execute any command on the victim's computer.

 

What makes this vulnerability so dangerous is that it affects all current versions of Windows and also allows an attacker to gain limited network access and almost instantly gain SYSTEM privileges on the compromised device. Through this attack, actors could spread laterally across the network to gain access to a domain controller.

 

To mitigate this vulnerability, two possible options have been reported. The first would be to block outbound SMB traffic to prevent access to the remote computer, but it has been stated that Windows Point and Print can be used to install drivers without the use of SMB, so actors could still use this technique with a local print server.

 

The other possible option is to create a group policy that prevents users without administrator permissions from installing print drivers using Point and Print unless that server is on a pre-approved whitelist.

 

Recommendations

Protection

 

  • Apply the corresponding security patch
  • Update computer security systems, such as antivirus software

 

Detection

 

  • If you detect anomalies in the actions and functionalities of the equipment, please contact your technical service.

Mitigation

 

  • Disable spoolsv.exe service on all Windows-based servers
  • Blocking outbound SMB traffic
  • Blocking driver installation via group policy

 

We promote the transformation of business and society through innovative solutions and services, putting people at the center.

 

 

minsait.com

Indra is one of the leading global technology and consulting companies: the technology partner for key operations of client businesses worldwide.

 

indracompany.com

We promote the transformation of business and society through innovative solutions and services, putting people at the center.

 

minsait.com

Indra is one of the leading global technology and consulting companies: the technology partner for key operations of client businesses worldwide.

 

indracompany.com