Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
- Proof of Concept (PoC) exploit code for the critical PrintNightmare vulnerability was accidentally leaked and then taken down.
- The PoC reliably exploits the Windows Print Spooler Service remotely and is effective against common Windows operating systems.
How did we find it?
- The exploit code was widely released across Github following the leak and obtained by our Threat Intelligence team.
- Our Tactical Threat Response team began the exploit analysis.
What did we do?
- We analyzed and executed the PrintNightmare exploit in our adversary emulation lab to investigate the relevant telemetry generated by the exploit across our entire MDR platform.
- We also investigated security alerts and developed detections. We analyzed data to see how it would demonstrate the attack took place and based on this analysis, we created a rule that can be deployed into our customers’ environments that readily detects future exploits of a similar nature.
- We altered the attack to determine if the detections our team has developed are effective and deployed these detections to our customers’ environments in addition to releasing Threat Intelligence PrintNightmare security advisory.
- Our 24/7 SOC actively blocked all IPs associated with attacks at the network.
- Our Managed Vulnerability Service (MVS) identifies vulnerable hosts and our MVS team will alert customers if necessary.
What can you learn from this TRU positive?
- PrintNightmare is a zero-day vulnerability that is classified as Remote Code Execution (RCE), which allows Local Privilege Escalation (LPE) to occur and affects most organizations with Windows hosts.
- Exploiting PrintNightmare allows threat actors to take full control of vulnerable systems.
- Since the public release of the PoC on June 29th, the barriers for exploitation have been significantly reduced.
- Microsoft has also stated that exploitation of PrintNightmare has been identified.
- There is a very short period of time between when an exploit is released, and mass exploitation occurs so it’s critical to rapidly deploy effective detection measures and preventative controls against threats like PrintNightmare.
- Our TRU team proactively researches detective rules and controls before adversaries can weaponize the exploits.
- In addition, our TRU team conducts thorough evaluation of any exploit, which often requires multiple actions, such as:
- Testing the exploit against defenses set in place,
- Developing detections if none currently exist,
- Assessing and testing potential evasion and bypass techniques,
- Testing known mitigating controls for effectiveness prior to patches being released, and
- Ensuring that any released patches can appropriately stop the threat.
Recommendations from our Threat Response Unit (TRU) Team:
Due to the fluid nature of these situations, monitoring the threat landscape is extremely nuanced. Information regarding the PrintNightmare vulnerability was continually released as details unfolded. Therefore, we recommend:
- Mitigating controls that may prevent all, or part of, an attack.
- Microsoft has also released Out-of-Band patches for the PrintNightmare vulnerability, which are now included in the latest Patch Tuesday update:
- Security patches are available for Windows 10, version 21H1, 20H2, 2004, 1909, 1507, 1607, 1809, Windows Server 2019, Windows 8.1 and Windows Server 2012, Windows 7 SP1 and Windows Server 2008 R2 SP1, Windows Server 2008 SP2, Windows Server 2016, and Windows Server 2012.
- If patching is not possible, organizations should disable the Windows Print Spooler service on Domain Controllers and any system that do not require printing capabilities.
- Microsoft has released guidance for disabling the print spooler service.
- As another option, organizations may disable inbound remote printing through Group Policy.
- It should be noted that both options may impact standard printing procedures.
- Do I have the broad expertise required to mine threat intelligence, perform exploit analysis, test mitigations and patches, and have the expertise to develop detection controls & rules to deploy within my own environment?
- Do I have the full visibility required to detect and respond to threats like PrintNightmare?
If you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you partner with us for security services in order to disrupt threats before they impact your business.
Want to learn more? Connect with an eSentire Security Specialist.