Author: John Farley
On July 1st, 2021, a newly discovered security flaw was revealed by Microsoft that could impact victim organizations worldwide. This vulnerability is known as PrintNightmare, and tracked as CVE-2021-34527. It can allow threat actors to take over targeted servers via remote code execution that can install programs, view, change, and delete data while creating new accounts with full user rights. It is unknown who is behind the attack, but it is believed to being actively exploited by malicious actors.
How to Protect Your Organization
As of this writing Microsoft is still investigating if the vulnerability is exploitable on all versions of Windows. While they have not issued a patch to remediate it, on July 1st Microsoft issued a security vulnerability advisory 1 to provide mitigation guidance. They provided two options;
- Option 1 - Disable the Print Spooler service
- Option 2 - Disable inbound remote printing through Group Policy
In addition, the U.S. Cybersecurity & Infrastructure Security Agency;("CISA") provided their own guidance for organizations that may be impacted. On June 30, 2021, CISA issued an advisory 2 to disable the Windows Print Spooler service on servers not used for printing.
In the event your organization becomes a victim of this campaign it is important that you leverage the resources that come with any applicable insurance policies.
Many cyber insurance policies provide 24/7 access to outside experts, including breach coaches, IT forensics investigators, extortion negotiators, credit monitoring firms, public relations experts, data asset restoration experts and others. Be mindful of insurance policy claim reporting requirements that mandate formal notice of incidents and/or claims. In addition, policy wording that may require insureds to utilize only pre-approved insurance panel experts.
For additional information regarding cyber insurance coverage, please contact your Gallagher team member.