Jul 02, 2021

How Enhanced Cyber Hygiene Can Help Your Organization Wake-Up from a PrintNightmare

A new Windows zero-day exploit is the perfect opportunity to start thinking more proactively about endpoint visibility and control

By Jim Kelly, RVP, Endpoint Security Specialist , Tanium

The eyes of the IT world are once again focused on breaking news of a new zero-day exploit. This time, affecting the Windows Print Spooler. While much of the reporting has centered on the comedy-of-errors that led to the exploit code being accidentally published, the incident has more to tell us.

Security leaders and IT bosses should take note. Understanding what assets you have and their status is the first step to reducing the attack surface, improving cyber resilience and accelerating incident response.

The story so far

The story begins with Microsoft’s June Patch Tuesday, during which it released a fix for what was initially described as a high-severity elevation of privilege vulnerability in the Windows Print Spooler: CVE-2021-1675.

Microsoft subsequently reclassified the vulnerability as critical after discovering that it could also enable remote code execution (RCE). A week later, on June 28, Chinese security vendor QiAnXin announced it had engineered an exploit for both the local privilege escalation and remote code execution in CVE-2021-1675, publishing a video demonstrating its work.

Unfortunately, researchers at Shenzhen-based Sangfor Technologies misinterpreted this news. Assuming that the bug was the same as a critical flaw they had discovered in Print Spooler, they decided to release their own proof-of-concept exploit — originally due to debut at Black Hat USA in August. The logic was simple: as the bug had already been patched by Microsoft (they thought), what’s the harm?

We’ll probably find out the answer to that question in the coming days. The exploit enables a remote, authenticated attacker to run code with elevated rights on any machine with the Print Spooler service enabled, including Domain Controllers. That could make for a potentially severe impact. Knowing what we do about threat actors, you can bet that the exploit is now in the hands of those with the intent to use it against any exposed systems.

What this means for your organization

The advice for mitigating this incident is pretty simple. As outlined on our Community site, organizations need to find all the machines running Print Spooler, have the Domain Controller role installed, and then disable the service on any Domain Controller that does not require it. When a patch becomes available, they should apply it to all affected endpoints as soon as possible.

However, there’s a bigger picture here. Unless you have visibility into your endpoints, workloads, configurations and patching status, you’ll be in constant fire-fighting mode. For example, many organizations have services and applications like Print Spooler running on critical infrastructure, which just shouldn’t be there.

Often what’s happened is that IT has tried to consolidate the number of servers and VMs in its estate instead of scaling them out with separate dedicated services. That means fewer devices to maintain and a broader attack surface because their critical infrastructure is now running multiple services that should be segregated. The same IT teams may not be aware of their risk exposure if they don’t have visibility into endpoints.

This can lead to multiple critical issues that need fixing simultaneously, which delays incident response. To put it another way: the problem with constantly sprinting is you simply can’t go any faster. So the focus should always be on good cyber hygiene first. Getting those endpoints patched, hardening those systems, reducing network access where necessary — and ensuring compliance.

That’s the way to reduce the attack surface and minimize the chances of another PrintNightmare impacting your organization.

Getting proactive

Those that don’t study history are doomed to repeat it. So use this opportunity to review your action plans and incorporate lessons learned. This could include checking:

  • To see if your hardening standards are up to par. This isn’t the first time we’ve seen issues with Print Spooler, for example
  • Your system onboarding, hardening and continual compliance processes to see if hardening standards are being met or not
  • For third-party risks, firewall off any third-party assets in your organization that you can’t touch

The good news is that Tanium is designed to help you answer the critical questions about your endpoint estate. With that information, you can then take remedial action — at speed and scale.

As soon as you learn about a problem, you can find out how the current environment is configured, in near real-time, and make appropriate changes. All of this in minutes rather than weeks. Tanium can also flag when you’re deviating from best-practice compliance.

If you don’t know what you own, how it’s configured and what’s running on it, you can’t secure it. So once PrintNightmare is fixed, check your environment with Tanium’s free cyber hygiene assessment. Sign up today.


For information on how Tanium customers can address PrintNightmare, check out the Community post.