[Dateline: Safety Harbor, FL, 7-9-2021] — [Alaris Threat Mitigation Consultants is a leading provider of cyber defense for small- to medium-sized corporations. This article is an alert concerning a current threat posed by hackers.]
Alert: Malware Disguised as Patches
Be Careful What You Open
In the wake of the Kaseya and Microsoft flaws recently published and exploited in the last week, another cybercrime group is attempting to capitalize on the confusion. A malware spam campaign is spreading a link pretending to be a Microsoft security update, along with an executable file that surreptitiously installs the Cobalt Strike package on unsuspecting users.
On Tuesday night, the Malwarebytes Threat Intelligence service published a screen capture of the malware laden email. The email which included an attachment named “SecurityUpdates.exe ” and a message urging recipients to “install the update fro= microsoft to protect against ransomware as soon as possible. This is fi=ing a vulnerability in Kaseya.”
If you are expecting patches from Kaseya, download it directly from them. Microsoft patches will be distributed through the normal Windows Update process. If needed, download those directly from Microsoft.
Microsoft’s Initial Print Nightmare Patch Instructions
Microsoft has released an emergency Windows patch to address a critical flaw in the Windows Print Spooler service (CVE-2021-34527). Known to the security community as Print Nightmare, the vulnerability can allow hackers to take over an infected system and can form a beachhead for implantation of Ransomware or other malicious activity.
The Print Spooler service runs by default on Windows, Microsoft has issued emergency patches for Windows Server 2019, Windows Server 2012 R2, Windows Server 2008, Windows 8.1, Windows RT 8.1, and several versions of Windows 10. Microsoft has even released patches for Windows 7, which officially went out of support last year. Patches for Windows Server 2012, Windows Server 2016, and Windows 10 Version 1607, will be released soon.
“We recommend that you install these updates immediately,” says Microsoft. “The security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as ‘PrintNightmare’.
In cases where an operating system version is not protected by the patch, Microsoft is offering several workarounds for Print Nightmare.
1) Stop and disable the Print Spooler service — and thus the ability to print both locally and remotely — by using the following PowerShell commands: Stop-Service -Name Spooler -Force and Set-Service -Name Spooler -StartupType Disabled.
2) Disable inbound remote printing through Group Policy by disabling the “Allow Print Spooler to accept client connections” policy to block remote attacks, and then restarting the system. In this case, the system will no longer function as a print server, but local printing to a directly attached device will still be possible.
3) A potential option to prevent remote exploitation of the bug that has worked in “limited testing” is to block both the RPC Endpoint Mapper (135/tcp) and SMB (139/tcp and 445/tcp) at the firewall level. According to CERT/CC “blocking these ports on a Windows system may prevent expected capabilities from functioning properly, especially on a system that functions as a server,” CERT advised.
Print Nightmare was first publicized on June 29th and was designated as CVE-2021-1675. It began when a proof-of-concept (PoC) exploit for the vulnerability was published on GitHub. The disclosure showed how an attacker can exploit the vulnerability to take control of an affected system. It was taken back down within a few hours, but as with everything else that is published on the internet, the code was copied and remains floating around in cyberspace.
Microsoft released a patch for CVE-2021-1675 in its usual patch distribution, addressing what it thought was a minor vulnerability. However, it soon became apparent to many experts that the initial patch DID NOT fix the entire problem. CERT/CC announced its own workaround for Print Nightmare, advising system administrators to disable the Windows Print Spooler service in Domain Controllers and systems that do not print.
After security researchers determined that the initial patch did not fully address the vulnerability, Microsoft then published a notice for a bug called “Windows Print Spooler Remote Code Execution Vulnerability” that appeared to be the same vulnerability, but with a different CVE number—in this case, CVE-2021-34527.
“This vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),” the company wrote in the advisory at the time.
“The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.”, Microsoft went on to advise.