Detecting PrintNightmare Exploit Attempts using Trend Micro Vision One and Cloud One Threat Research Engineer
PrintNightmare is one of the latest set of exploits abused for the Print Spooler vulnerabilities that have been identified as CVE-2021-1675, CVE-2021-34527, and CVE-2021-34481. It is a code execution vulnerability (both remote and local) in the Print Spooler service that affects all Windows versions running the said service. A number of researchers have come up with multiple exploit variants based on different implementations (over TCP and Server Message Block or SMB). By using different function calls for Print System Asynchronous Remote Protocol (MS-PAR) misusing RpcAsyncAddPrinterDriver, PrintNightmare can be exploited on servers and workstations, while abusing Print System Remote Protocol (MS-RPRN) allows PrintNightmare to misuse RpcAddPrinterDriverEx for an impacket implementation.
In this analysis, we look into the implementations of PrintNightmare and the visibility enabled by Trend Micro Vision One™ and Trend Micro Cloud One™ to mitigate the risks brought on by critical gaps found in systems such as the Print Spooler service. Using the indicators and attributes of exploitation attempts logged from network and endpoints, both platforms allow security teams and analysts a wider view of attack attempts for immediate and actionable response.
The timeline of PrintNightmare is as follows:
1. June 8: As part of the June security update, the bug identified as an elevation of privilege (EOP) in the Print Spooler service was patched. The vulnerability was tagged as CVE-2021-1675.
2. June 21: The same bug was later classified as both a remote code execution (RCE) and an EOP vulnerability.
3. June 29: Researchers with different RCE and EOP proofs of concept accidentally disclosed these publicly as a result of the assumption that their findings were exactly the same and that the bug had already been mitigated as part of the June security update. However, it had not been mitigated yet, and though the researchers deleted their proofs of concept, these had already been replicated and eventually cached by search engines.
4. July 1: A new vulnerability, considered a zero-day flaw, was assigned as CVE-2021-34527.
5. July 6: Microsoft released an out-of-band patch to mitigate CVE-2021-34527, but it only prevented a part of the RCE. Specifically, the patch only blocked DLLs from path implementations like “\\server\share\”.
6. July 7: Researchers reported the bypass, along with information that the universal naming convention (UNC) form of denoting paths, “\??\UNC\”, rather than the use of “\\”, could evade the patch.
7. July 15: Microsoft disclosed that a new EOP vulnerability in the Print Spooler service was found and assigned it as CVE-2021-34481.
8. August 10: Microsoft updated CVE-2021-34481 and released the patches to prevent exploitation.
Read More HERE