PrintNightmare, STUXNET, and Why you need to patch your SCADA
2021-07-09 | 4 min read
Another Windows Print Spooler Flaw
When I launched this blog in April, I had an eye toward finding the human interest aspect of the most recent hacks affecting the ICS industry, and using it to dig a little deeper.
Little did I know that Nation State hackers would attack two of our guardians of the digital universe (FireEye and SolarWinds), steal Energy Stones that gives them the power to blow stuff up, and then start hacking critical infrastructure more often than the Teserract gets stolen!
I quickly discovered that I couldn’t blog that fast. I have a day job.
And then there’s the problem that even hacks that appeared to be of little interest to the ICS/OT universe, like PrintNightmare, a 0-day vulnerability of the Windows Print Spooler service that was accidently disclosed before Microsoft released a patch (big oopsie!), proved to be of great interest to the ICS/OT world.
If it hasn't, it should.
Because the HMI, our unsung hero and its sidekick, the PLC-- generally run on Windows-based computers-- making SCADA systems an obvious PrintNIghtmare target.
So what does PrintNightmare do?
PrintNightmare exploits a vulnerability in the Windows Print Spooler service. The Print Spooler service manages the print process and runs by default on every Windows computer.
In other words, it runs by default on many, many Human-Machine-Interfaces, and many, many more Programmable-Logic-Controllers, which are now vulnerable for exploitation by PrintNightmare.
An attacker who successfully exploits PrintNightmare could use it to turn any ordinary user into a super user with SYSTEM privileges. This allows the hacker to do just about anything they want. Like install new software, execute it, create new users and give them superpowers, freely roam throughout your network undetected and undetered, or control remote computers. It could also tell the PLC to destroy stuff, and then tell your HMI to report that everything's just fine.
Stuxnet and Window Print Spooler Service Vulnerabilities
Interestingly, Stuxnet also exploited a 0-day vulnerability in the Windows Print Spooler service, MS-10-061, which allowed it to print itself in two files in the system directory on target machines, and execute the dropper file which infected both computers-- allowing it to infect and spread at the same time.
With all the Energy Stones that the Nation State hackers have collected, you can’t rely on what worked before to protect your ICS/OT environments: a physical air gap. And fortunately, you don't need to. Check the related links below to see how Keysight's Solutions for fortifying your IT/OT networks can provide the tools you need to protect your stuff.
And now Microsoft has released an emergency patch to PrintNightmare.
Emergency Patch for PrintNightmare, CVE-2021-34527, Released by Microsoft
"UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability." --Microsoft