Cybercriminals are increasingly exploiting Windows Print Spooler vulnerabilities

Woburn, Massachusetts – May 10, 2022 – Kaspersky researchers have revealed that the number of attacks that exploit various vulnerabilities in Windows Print Spooler has increased significantly over the past four months. While Microsoft regularly releases patches for Print Spooler, a program that manages the printing process, cybercriminals continue to actively exploit vulnerabilities giving them the opportunity to distribute and install malware on victims’ computers that can steal stored data.

Over the past year, several security vulnerabilities have been discovered in Windows Print Spooler. By abusing them, cybercriminals were able to take control of the servers and devices of the victims, even without special administrative access.

The most well-known vulnerabilities are CVE-2021-1675 and CVE-2021-34527 (also known as PrintNightmare), which were discovered in late June 2021. PrintNightmare was published by chance by researchers as a proof-of-concept (PoC) exploit for an important Windows vulnerability in Print Spooler. The exploit was quickly removed from GitHub, however, some users have already managed to download it and then repost it. In late April 2022, a very serious vulnerability (tracked as CVE-2022-22718) was discovered in Windows Print Spooler. Microsoft has already released a patch against this threat, but attackers are still able to exploit this vulnerability and gain access to corporate resources.

Kaspersky researchers discovered that cybercriminals launched approximately 65,000 attacks between July 2021 and April 2022. Moreover, Kaspersky experts discovered that approximately 31,000 of these attacks occurred during the past four months, from January to April. This indicates that Windows Print Spooler vulnerabilities remain a common avenue of attack for cybercriminals, which means that users need to be aware of any patches and fixes released by Microsoft.

Global statistics on detection of attacks that exploit Windows Print Spooler vulnerabilities from July 2021 to April 2022

Exploitation of Windows Print Spooler vulnerabilities has infected many countries as the number of overall attacks continues to grow. From July 2021 to April 2022, nearly a quarter of the detected cases came from Italy. After Italy, users in Turkey and South Korea were the most attacked. Kaspersky researchers also discovered that over the past four months, attackers were most active in Austria, France and Slovenia.

The top five countries are targeted with attacks that exploit Windows Print Spooler vulnerabilities from July 2021 to April 2022

“Windows Print Spooler vulnerabilities are a hotbed for new emerging threats,” said Alexei Kolev, security researcher at Kaspersky. “We expect an increasing number of exploit attempts to gain access to resources within corporate networks, accompanied by a high risk of ransomware infection and data theft. Through some of these vulnerabilities, attackers can gain access not only to victims’ data but also to the entire corporate server. Therefore, it is highly recommended that Users follow Microsoft’s guidelines and apply the latest Windows security updates.”

To protect yourself from cybercriminal attacks with Windows Print Spooler vulnerabilities, Kaspersky recommends the following:

  • Install patches for new vulnerabilities as soon as possible. Once downloaded, threat actors cannot abuse the vulnerability.
  • Conduct regular security audits of your organization’s IT infrastructure to detect any vulnerabilities and weak systems.
  • Use a protection solution for endpoints and mail servers with anti-phishing capabilities to reduce the chance of infection through phishing attempts.
  • Use custom services that can help fight high profile attacks. Kaspersky’s Managed Discovery and Response Service can help identify and stop attacks in their early stages, before attackers achieve their goals.
  • Install anti-APT and EDR solutions, enabling threat detection and detection, along with timely investigation and treatment of incident capabilities. Provide your SOC team with access to the latest threat intelligence and regularly acquire their skills through professional training. All of the above is available within the framework of Kaspersky Expert Security.

Leave a Comment

Your email address will not be published.