A number of vulnerabilities within the printing application has led to a string of cyberattacks from all over the world.
If you have used Windows’ Print Spooler application recently, you could be the victim of a hack. A new report, from cybersecurity company Kaspersky, has found that cybercriminals conducted approximately 65,000 attacks through Windows’ Print Spooler application between July 2021 and April 2022. In addition, nearly half (31,000) of the attacks have taken place in the first four quarter of 2022. Print Spooler is typically employed to help users manage the printing process, but due to numerous vulnerabilities has become a hotbed for cyber criminals looking to carry out attacks.
Print Spooler’s vulnerabilities and the numerous attacks
The exploits, CVE-2021-1675 and CVE-2021-34527 (also known as PrintNightmare), were found through an uncommon source, as it was mistakenly published as a proof of concept (POC) to GitHub for the application’s vulnerabilities. Once on GitHub, users downloaded the POC exploit, and a number of severe gaps were discovered within the application. Just last month, another critical vulnerability was discovered, leading to many of the attacks as the cybercriminals were able to access corporate resources, according to Kaspersky.
Once the vulnerabilities were identified, Microsoft issued a patch, attempting to stop the attacks stemming from PrintNightmare and the recently discovered exploit, but some organizations that have fallen victim failed to download and implement the patch before being taken advantage of.
“Windows Print Spooler vulnerabilities are a hotbed for emerging new threats,” said Alexey Kulaev, security researcher at Kaspersky. “We anticipate a growing number of exploitation attempts to gain access to resources within corporate networks, accompanied by a high-risk of ransomware infection and data theft. Through some of these vulnerabilities, attackers can gain access not only to victims’ data but also to the whole corporate server. Therefore, it is strongly recommended that users follow Microsoft’s guidelines and apply the latest Windows security updates.”
The attacks have targeted users from a number of countries around the world, as the cybersecurity company found that from July 2021 to April 2022, nearly a quarter of detected hits came from Italy. Outside of Italy, users in Turkey and South Korea were the most actively attacked, and most recently, researchers also discovered that over the past four months attackers were most active in Austria, France and Slovenia.
How to protect your systems from the exploit
In order for users to protect themselves from being the next victims of an attack, Kaspersky offers the following tips:
- Install patches for new vulnerabilities as soon as possible
- Performing a regular security audit of organization IT infrastructure
- Use a protection solution for endpoints and mail servers with anti-phishing capabilities
- Use dedicated services that can help fight against high-profile attacks
- Installing anti-APT and EDR solutions, enabling threat discovery and detection
Ensuring that all system vulnerabilities have been patched is recommended as the best solution for the exploit in question, according to the security company. Outside of this specific instance, always having up to date endpoint security and employing a zero trust model are the best ways to avoid being exploited.