Blocking the Exploitation of PrintNightmare
Last week, in its Patch Tuesday update, Microsoft Security Response Center released an additional security fix for the series of zero-day vulnerabilities known collectively as “PrintNightmare,” which can be used to break into all versions of Windows computers. According to the executive summary of the Windows Print Spooler Remote Code Execution Vulnerability:
“A remote code execution (RCE) vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
The workaround for this vulnerability is stopping and disabling the Print Spooler service.”
Since organizations are slow to patch this vulnerability, threat actors are successfully exploiting this threat, according to recent news reports. For example, in a recent blog, Cisco Talos Incident Research noted that threat actors are actively exploiting these vulnerabilities for ransomware cyberattacks. As we know from past experience, an exploited RCE vulnerability relinquishes execution control to the attacker to not only install more tools required to perpetuate the attack but also establish a two-way communication path back to the attacker’s command control center. The attacker can then gain full keyboard control of the victim.
Virsec is the only vendor to protect the entire attackable surface of the application — including Host, Memory, and Web layers — during runtime. By protecting at the host level, the Virsec Security Platform can detect and block any attacks exploiting PrintNightmare as well as other zero-day-vulnerabilities. Learn more how we can protect your organization – visit us at here.