Waking Up from the #PrintNightmare. What’s Next?
by Kevin Garrett, on Jul 20, 2021
Let’s be real. If you’ve worked in cybersecurity for more than a few minutes, you know that magical silver bullets just don’t exist for stopping breaches or lateral movement. We face a complex landscape. Holes and vulnerabilities—both known and unknown—riddle the ecosystems where we operate. We confront problems that are much more complicated than many vendors will acknowledge.
As Remediant’s Senior Sales Engineer, I’m on the vendor side of the house and nothing aggravates me more than vendors who overstate their value prop and then don’t offer sufficient evidence that substantiates that their approach works.
That said, I am very bullish on the way our product solves—simply and elegantly—the underlying problems that affect every organization out there today. In this post, I’ll skip pounding out the three-letter acronyms and industry buzzwords. I’m going to dive right into a summary explanation of the recent #PrintNightmare vulnerability that’s been causing a bit of a ruckus.
#PrintNightmare: An Introduction
In June, Microsoft confirmed CVE-2021-1675, which enables remote code execution and local privilege escalation. Through this security vulnerability, any user can leverage this vector to gain local admin privileges on Windows endpoints. Worse still, Microsoft tried to resolve this vulnerability with a patch early last month, but the patch did not fix the problem. [Sidebar - our product manager discovered the ability to exploit these print drivers back in 2012, so the vulnerability has been around a long time.]
Let’s take a step back. We all know that there will always be some new vulnerability that enables privilege escalation. Every year (or day, even), we see new malware and variants that allow local privilege escalation to occur. This plays a crucial role in allowing attackers to carry out the breaches that continue to make headline news.
What’s key here? Privilege escalation exploits the underlying problem of 24/7 always-on admin access. That’s hard to address, and it hasn’t been addressed well.
So, instead of asking, “How do we stop this from happening?,” we should ask ourselves, “When (not if) this happens, how can we make our environments more resilient to lateral movement? How can we protect ourselves from the spread of ransomware/malware?”
In this writeup, TechRadar shares multiple links that we can follow down the rabbit hole and explore the myriad ways that the #PrintNightmare exploit can impact an environment. Remediant SecureONE stops some of these attack vectors cold.
In this post, I will attempt to clearly explain the impact and proper handling of each of these vectors. SecureONE stops lateral movement via admin credentials in a very specific and impactful way. This enables our clients to take a proactive approach to containment in breach scenarios, especially when they pair SecureONE with solid security fundamentals.
How #PrintNightmare works
CVE-2021-1675 leverages the Windows Print Spooler service, which runs with SYSTEM privileges and that any user account can use. You can find more details on the original discovery and disclosure here, and Rapid7 uploaded a very quick video about the exploit to LinkedIn.
Under the hood, the exploit executes simply. All you need is a PowerShell execution to create a print driver that runs with the System permissions of the print spooler. You could then add an account to the Local Administrator’s group. Again, any user account can do this at any time. That’s what makes this such a powerful tool in any attacker’s toolset.
Establishing administrator or system permissions allows the attacker to compromise other accounts that log into the system. They can then move laterally through the environment using well-known techniques (see MITRE attack methods here). Once in, they’ll immediately follow up with even more exploit tactics. And fixing the vulnerability may prove difficult … and disruptive. Microsoft has had the underlying printer functionality in place for many years now.
For better or worse, COVID has brought about some necessary and wide-scale shifts in how organizations manage access. Even though most still control remote access by granting admin access, i.e. an account’s presence in the Local Administrator’s group, the Remote Desktop Users Group allows remote access without admin rights. Organizations have shifted to using this group to ease some of the operational burdens of the wide-scale work-from-home models made necessary by the pandemic.
How SecureONE confronts #PrintNightmare
Remediant built SecureONE upon the fundamental concept of removing 24x7 admin privilege in an environment, which stops lateral movement via admin credentials. Our agent-less approach dynamically scans Windows endpoints and removes all unauthorized privileged accounts.
SecureONE thwarts many techniques that attackers use to compromise privileged-access accounts. Said differently, excessive admin privileges constitute the best possible multi-tool attackers have. The DBIR and other recent reports have shown this too. Attackers leverage privileged credentials in 65% to 80% of attacks, depending on the source. When attackers compromise a single admin account, it’s as if they’ve stumbled upon a skeleton key that unlocks vast segments of a network.
For context, I have now conducted hundreds of assessments in my time with Remediant. The total number of admin accounts I find just hanging around on ALL networks is staggering. I’ll post these details and statistics in coming content.
Let’s be very clear here: No one-stop solutions
No product out there can prevent every single zero-day from comprising every single endpoint. It just can’t be done, period. However, all vendors mitigate risk. If we can raise the bar and make it just that much more difficult for an attacker to spread throughout a network, we can contain the attacker to an isolated machine. We can force them to fall back on different tools that are less stealthy and easier to detect.
SecureONE accomplishes privileged access mitigation by removing the massive amount of standing admin privileges in environments from the endpoints. We provide easy-to-use, Just-in-Time & Just-Enough Access to one user and one computer at a time.
When we do this, we remove an attacker’s most flexible multi-tool from their arsenal. We force them to resort to noisier attack vectors, which other critical infrastructure can more easily detect. It’s like making an entire door disappear just as the criminal looks away to find their very best lock pick to spring the lock.
That’s our condensed philosophy and overview of SecureONE. Now, how does this approach affect #PrintNightmare, specifically? Simple.
No admin rights anywhere on the network means #NoLateralMovement. I can escalate and pawn a single endpoint all day long, but if I can’t get to other more critical or more interesting systems on the network, there is a definitive limit to the value I can create for myself (the attacker).
Take-Aways: Best Practices and Closing Open Doors
#PrintNightmare exposes a very real danger of Remote Desktop Users. If a compromised account is a part of this group, the attack vector remains open, barring other local process-level mitigations.
Below are some practical tips to close these holes:
- Ensure patches are up-to-date and applied everywhere possible. In July, TechRadar called out the particularly nasty ZeroLogon vulnerability, patched and disclosed by Microsoft in August 2020. Even without a dedicated team, many free tools and assessments are available out there to help small teams identify and close critical vulnerabilities like these.
- Remove unnecessary accounts from the Users Group and other groups on workstations. Logon should only be allowed for the primary user or operator of the target machine.
- Temporarily force stop the Print Spooler service until Microsoft releases a patch that is confirmed effective at preventing this escalation. Be aware that printing will be prevented until you enable the Print Spooler again. Only you and your management team can appropriately assess whether this operational impact is worth its cost to your organization.
- Ensure by any means necessary that Domain Admin accounts are only EVER used to log onto Domain Controllers. This is a simple operational measure detailed by Microsoft that any administrator of a Windows network can deploy. Not allowing DA logon to workstation- or server-tier devices means that hash is never left behind in memory for an attacker to compromise. Many would argue this is a fundamental security best practice.
- Consider investing in an EDR solution that can identify and prevent when the DLL that drives this attack is attempting to load. Solutions like Carbon Black, CrowdStrike, and SentinelOne (etc.) allow for tight application whitelisting trusted DLLs only, which would block this attack vector at the individual endpoint.
- Last, but certainly not least: Invest in training “the layer 8” situation. Your people are your strongest assets. A little training goes a long way to preventing phishing and other cyberattacks that seek to gain footholds in your environments.