Microsoft"s PrintNightmare security vulnerability is now being exploited by a ransomware group called Vice Society, according to a report by Cisco"s Talos threat intelligence research team. The Talos group has been observing the Vice team"s way of exploiting the Print Spooler service security issue that Microsoft has been trying for several months to patch and put an end to but with somewhat limited success.
Apparently, according to Talos" findings, the Vice Society - which has been linked to the HelloKitty ransomware group before - uses a dynamic link library (DLL) file that is associated with the ongoing PrintNightmare Print Spooler bug to infect vulnerable systems with ransomware. The name of this DLL is: 6f191f598589b7708b1890d56b374b45c6eb41610d34f976f0b4cfde8d5731af - which is quite a mouthful.
Vice Society demands from its victims a ransom, and threatens to leak the stolen data via a website it operates if the ransom is not met. Below is a screenshot of what the data leak site looks like:
Talos also observed some of the tactics, techniques, and procedures (TTPs) that the threat actors from Vice Society utilize to carry out the exploits.
These include the usage of ProxyChains to divert network traffic elsewhere during the invasion, and attacking the ESXi virtual servers and the data backups to make the entire system vulnerable to the ransomware infection and preventing recovery. To avoid detection by endpoint security solutions, the threat actors perform an Anti-Malware Software Interface (AMSI) bypass. You can find more technical details in the official blog here.