Russian Hackers Exploit MFA protocols and Print Spooler “PrintNightmare” vulnerability

By John Gates, on March 20th, 2022

A joint Cybersecurity Advisory (CSA) was issued by the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) recently warning organizations about a Russian state-sponsored cyber-attack. The cyber actors ran arbitrary code using system privileges by exploiting a Windows Print Spooler vulnerability, “PrintNightmare.”

 

PrintNightmare vulnerability

Microsoft’s Print Spooler vulnerability (CVE-2021-34527) is Microsoft’s service for managing and monitoring file printing and has had minimal maintenance updates since its release. Once an attacker gains limited user access to a network the cyber actor will be able to connect (directly or remotely) to the Print Spooler. On July 2021 Microsoft published which vulnerability exploitation is possible and providing the base score evaulation of the vulnerable component

 

Threat Actor Activity

Russian state-sponsored cyber actors gained initial access to the victim organization through exploitation of default MFA protocols and a known vulnerability by enrolling a new device in the organization’s Duo MFA. By using a brute force password attack, this allowed the cyber actors to gain access to the victim account using it to access the operating system and enabling cloud and email accounts for data exfiltration.

 

How to mitigate Print Spooler’s ‘PrintNightmare’ vulnerability

The best thing you can do to mitigate this vulnerability is to disable your Print Spooler on every server and/or sensitive workstation. The FBI and CISA agencies are urging all organizations to apply the recommended mitigations:

  • Enforce MFA and review configuration policies to protect against “fail open” and re-enrollment scenarios.
  • Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems.
  • Patch all systems. Prioritize patching for known exploited vulnerabilities.

Hardening Automation for Print Spooler

Over the past few years Print Spooler vulnerabilities were introduced  and it seems like PrintNightmare is here to stay and might not be the last one. Therefore it is highly recommended not just to patch your systems but to make the effort and disable the Print Spooler on all  of your systems. Disabling the spooler will reduce the attack surface significantly and improve your infrastructure cyber hygiene.

 

Hardening requires long hours of intensive work that won’t always guarantee your protection. It is a mistake-prone task that can sometimes lead to breaking the organization’s production environment. CalCom offers an automated approach for hardening. Our solution will ensure your infrastructure is hardened according to your desired policy, eliminating the risk for production outages and configuration drifts.