In the wake of recent large-scale cyberattacks around the world, Microsoft has declared that a further critical vulnerability has been discovered in the aptly named PrintNightmare Print Spooler nightmare. This is not something that should be taken lightly by anyone and here’s why…
On June 29th, 2021, a security researcher and technical architect tweeted a proof of concept (PoC) exploit and explanation about vulnerabilities in the Windows Print Spooler system before quickly deleting it. Despite its prompt deletion, it was live long enough to be replicated on other sites, so essentially, a PoC exploit is floating about the internet.
No biggie. It can’t be that much of a security issue, right? WRONG!
This exploit is the code equivalent of giving a stranger the keys to your front door and rolling out the red carpet for them, so they can take over your life – or your business.
The Windows Print Spooler situation
In a nutshell, the Windows Print Spooler is a default Windows service enabled on ALL Windows clients and servers to allow for much more seamless printing management within a network. When a computer is physically connected to a printer, the Print Spooler allows the computer to provide printing services to other computers connected to the network. While this is a helpful tool for many reasons, the PrintNightmare vulnerability allows any authenticated user to perform privileged file operations – such as escalating their privilege to domain admin level, meaning they retain system-level control and can do anything they want. So, there should be 2 main priorities for Windows users right now: mitigation & detection.
How to mitigate your business’s risk?
At this point, it should go without saying that if you haven’t updated your systems with the new security patches for this issue, you should go and do it IMMEDIATELY! But depending on the size of your organisation, this could be a big job that can’t be completed overnight, so you may need to consider other options to secure yourself in the meantime.
Can’t I just turn off Windows Print Spooler service?
Sure. Does this solve the problem and keep your business running perfectly? No.
Turning off the Print Spooler service is a workable solution if you don’t need/want to print anything, which is unlikely for most businesses. But this has been the current response in America with Federal agencies being ordered to disable Microsoft’s Print Spooler services completely until all security updates and management controls have been implemented – a recommendation which has also been forwarded on to both public and private organisations. As this vulnerability has the potential to turn into an economically international, but extremely detrimental, cyber event, businesses need to be more vigilant to protect their critical data and systems.
So, if the Print Spooler needs to be turned off, it needs to be turned off.
What’s Microsoft’s advice to detect breaches?
Although Microsoft have worked hard to suitably patch the vulnerabilities as quickly as possible, until security updates can be done (the most recent patches over 100 vulnerabilities), every user is at risk of attack. So, Microsoft advise using security products, such as Microsoft 365 Defender, to search for alerts and telemetry showing suspicious behaviour.
Security products like Microsoft 365 Defender include advanced hunting queries which provide the necessary information to secure web sites, APIs, applications, databases, remote desktops and other resources. They do this by conducting on-demand scans against an internal database of vulnerabilities and then generating reports that can be sent via email or downloaded to a repository.
The latest version of Microsoft 365 Defender includes advanced hunting queries such as SQL injection and XSS scanning. This makes it easier for users to detect potential threats in their surroundings without having to conduct any manual research themselves.
Update before it’s too late…
Systems that have not been updated are open to cyberattacks and risks. It is important for businesses to implement these updates as soon as possible because the consequences could be devastating. So, if your company has not yet updated its systems, now is a good time to take action. Contact Lindentech’s team of security experts before it’s too late