If you’ve lately used Windows Print Spooler, here’s some bad news: you may have been hacked. Between July 2021 and April 2022, threat actors carried out nearly 65,000 cyberattacks through Windows’ Print Spooler application, according to a new analysis from cybersecurity firm Kaspersky. Furthermore, about half of the attacks (31,000) occurred in the first four quarters of 2022.
(…) The number of attacks exploiting numerous vulnerabilities in Windows Print Spooler have risen noticeably over the past four months. While Microsoft regularly releases patches for its Print Spooler, a software that manages the printing process, cybercriminals continue to actively exploit its vulnerabilities giving them the opportunity to distribute and install malicious programs on victims’ computers that can steal stored data. (…) Roughly 31,000 of these hits occurred during the last four months, from January to April. This suggests that vulnerabilities in Windows Print Spooler remain a popular attack route for cybercriminals, which means users need to be aware of any patches and fixes that Microsoft releases.
Most Known Windows Print Spooler Vulnerabilities in Review
You surely remember PrintNightmare associated with vulnerabilities CVE-2021-1675 and CVE-2021-34527. Long story short, PrintNightmare was discovered through an unusual source, as a proof of concept (POC) for it was inadvertently released to GitHub. Even if quickly taken out from the platform, several users managed to already download the code and republish it, so this let a free path for hackers to perform remote code execution and privilege escalation.
New Vulnerability Discovered in Windows Print Spooler
According to the above-mentioned researchers, another important vulnerability dubbed CVE-2022-22718 has been recently uncovered, which led to numerous cyberattacks since hackers were able to gain access to corporate resources.
In late April 2022, a highly severe vulnerability (tracked as CVE-2022-22718) was also discovered in Windows Print Spooler. Microsoft had already issued a patch against this threat but the attackers were still able to exploit this vulnerability and gain access to corporate resources.
Which Countries Have Been Most Impacted?
According to the report, a quarter of identified hits came from Italy between July 2021 and April 2022. Outside of Italy, users in Turkey and South Korea were the most frequently targeted, and researchers recently discovered that threat actors were most active in Austria, France, and Slovenia over the past four months.
Recommended Mitigation Measures
Here are some basic recommendations from the experts to keep your system protected from the exploit:
- Deploy patches in your system as soon as they are available;
- A regular IT infrastructure security audit would be necessary;
- Endpoint and mail servers can be safeguarded by means of an anti-phishing solution;
- Use anti-APT and EDR solutions to perform threat detection.
How Can Heimdal™ Help?
Considering the above-recommended mitigations, we want to let you know that Heimdal has the right solutions for you.
Choose Heimdal EDR Software and benefit from:
- unique prevention, threat-hunting, and remediation capabilities;
- DNS-based protection and patching;
- greater visibility into your endpoints;
- and many more you can see for yourself by booking a demo.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.