By CYFIRMA Research
First Published on 6 August 2021
Russian threat actors are suspected to have leveraged malware/ransomware and are believed to have exploited a zero-day vulnerability CVE-2021-34527.
Based on our research and analysis, we suspect state-sponsored Russian threat actor – TA505 or its affiliates to be carrying out these activities targeting multiple industries and geographies. These activities are suspected to be part of the Global Ransomware Campaign – night blood.
CYFIRMA suspects potential collaboration between Chinese hackers and Russian cybercriminals based on the indicators observed and given that Chinese hackers have targeted Japanese organizations with the same malware exploit kits in the past.
The primary motive of this campaign appears to be:
CYFIRMA recommends using reported IOC details for measures against this campaign and threat hunting within your environment.
CYFIRMA Risk Rating for this Research is Critical.
NOTE: The vulnerability has been reported as situational awareness intelligence. CYFIRMA would like to highlight the potential risk and indicators observed which may be leveraged by nation-state threat actors in exploiting the vulnerability to gain a foothold and exfiltrate sensitive information from the target organizations.
Remote Code Execution Vulnerability in Microsoft Windows Print Spooler – (PrintNightmare)
CVSS Score: 8.8
Exploit Details: This zero-day vulnerability is being exploited in the wild and has been leveraged by REvil Ransomware Group. The exploit details can be referred to in the Link. (Source: Surface Web)
Microsoft Windows could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in the Print Spooler service.
Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code on the system with privileged access and could result in the complete compromise of the vulnerable system.
The vulnerability exists due to improper input validation within the RpcAddPrinterDriverEx() function. A remote user can send a specially crafted request to the Windows Print Spooler and execute arbitrary code with SYSTEM privileges.
The CWE is CWE-269, and the vulnerability has an impact on confidentiality, integrity, and availability.
Please refer to the following links for the affected versions: Source
Please refer to the following links for the mitigations: Source
To download the full report, write to [email protected]