Night Terrors: Ransomware Campaigns Are Exploiting PrintNightmare

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360

PrintNightmare is being actively exploited to distribute ransomware, ZDNet reports, and security researchers have found evidence of multiple threat actors taking advantage of the vulnerability.

Microsoft acknowledged PrintNightmare on July 1. It released an emergency update to address the flaw less than a week later, but that patch was imperfect, and the company didn’t have an official fix until it changed the default behavior of Point and Print driver installation on Aug. 10.

Many people are slow to update their systems, however, and security researchers at CrowdStrike and Cisco Talos Incident Response independently shared their discovery that hacking groups were exploiting the PrintNightmare vulnerability in the days following Microsoft’s latest patch.

CrowdStrike said on Aug. 11 that it “identified Magniber ransomware attempting to use a known PrintNightmare vulnerability to compromise victims” in July. It successfully blocked those attacks, but systems that don’t rely on its protections could still be targeted by the ransomware.

“CrowdStrike estimates that the PrintNightmare vulnerability coupled with the deployment of ransomware will likely continue to be exploited by other threat actors,” the company said, and the researchers at Cisco Talos proved that estimate was correct with their own announcement.

Cisco Talos said on Aug. 12 that a ransomware campaign operator known as Vice Society, which has targeted “public school districts and other educational institutions” as well as other “small or midsize victims,” was actively exploiting PrintNightmare as part of its latest attacks as well.

“The use of the vulnerability known as PrintNightmare shows that adversaries are paying close attention and will quickly incorporate new tools that they find useful for various purposes during their attacks,” Cisco Talos said. “Multiple distinct threat actors are now taking advantage of PrintNightmare, and this adoption will likely continue to increase as long as it is effective.”

Recommended by Our Editors

PrintNightmare is a compelling target in part because it affects every version of Windows. Defending against it also requires changing the operating system’s behavior by disabling the Print…