PrintNightmare Update (CVE-2021-34527)
Microsoft has completed the investigation and has released security updates to address this vulnerability. It is recommended that these updates be...
24/7/365 Monitoring & Alerting
Compromise Assessments
Threat Hunting
Vulnerability Management
CMMC Preparation & Assessment
Cybersecurity Assurance Readiness (CSAR®/RMF Pro)
ATO/RMF Support
If you are concerned about a potential threat or are experiencing a breach, contact our 24/7/365 emergency hotline at 888-860-0452.
Sign up to receive our biweekly newsletter that covers what's happening in cybersecurity including news, trends, and thought leadership.
At our core, Ingalls is a company that strives to be helpful to our clients while continuously innovating and evolving our technology and solutions. Since 2010, we have been dedicated to building a team and product that can stay steps ahead of threats, attacks, and vulnerabilities in an ever-changing landscape.
CVE-2021-1675 (aka PrintNightmare) is a vulnerability in the built-in Windows “Print Spooler” service. Microsoft released a patch for CVE-2021-1675 as a low-severity vulnerability on June 8. However, it has since been determined that the vulnerability is much more severe than originally thought, allowing local privileges escalation and remote code execution. Further, it has been determined that the June 8 Microsoft patch for this vulnerability does not resolve the issue. There is no patch currently available that actually addresses this vulnerability, but there are a few possible mitigations, listed below, that organizations can take to help secure their environments.
The Ingalls SOC is currently implementing custom detection alerting and threat-hunting in client environments for Indications of Compromise associated with the PrintNightmare vulnerability.
This advisory specifically applies to the following Windows products:
Several low-complexity proofs of concept are available, and there are early reports that CVE-2021-1675 is now being exploited in the wild.
The PrintNightmare vulnerability can be used along with harvested/leaked credentials to provide attackers with remote access or can be used post-exploitation to escalate privileges and to allow attacker lateral movement.
Local Privilege Escalation: If a threat actor has established a foothold on a compromised system and gained user access (including with low privilege, domain user accounts), PrintNightmare would allow the threat actor to gain administrator or SYSTEM access to the machine.
Remote Code Execution: Exploitation of the PrintNightmare vulnerability could provide threat actors with remote access (if they have already compromised valid user credentials) to vulnerable, web-exposed systems or can be used to escalate privileges and to facilitate lateral movement post-exploitation.
Some mitigations may impact business operations such as the ability to print/prune print jobs.
Disable the Microsoft Windows Print Spooler Service
Restrict Access Control Lists to the Affected Directory
Microsoft has completed the investigation and has released security updates to address this vulnerability. It is recommended that these updates be...
On July 14, 2020, Microsoft released a security update for the issue described in CVE-2020-1350 | Windows DNS Server Remote Code Execution...
It's important that organizations deploy last week's "Patch Tuesday" patches as soon as possible. These patches include several critical, high, and...