Microsoft Assigns CVE to PrintNightmare but No CVSS Score

The zero-day vulnerability known as PrintNightmare now has an official CVE listing, but Microsoft is still investigating the severity of the bug.

The public disclosure of the flaw came about in a comedy of errors this week. A Chinese research team at QiAnXin announced exploit code for a similar remote code execution (RCE) vulnerability in the Windows Print Spooler service (CVE-2021-1675), which Microsoft had patched in June.

Mistaking this code for a project that they had been working on, researchers at Shenzhen-based Sangfor Technologies decided to release a proof-of-concept exploit code they were due to announce at Black Hat USA in August.

However, the bug they discovered, PrintNightmare, was completely new, and this zero-day has now been widely circulated. 

Microsoft yesterday named it as CVE-2021-34527.

“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,” it explained.

“An attacker who successfully exploited this vulnerability could run arbitrary code with system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Security researchers have warned that the vulnerability could allow authenticated actors to hijack domain controllers, which would effectively give them the keys to the kingdom to deploy ransomware or other malware across victim networks.

Therefore, while Microsoft said it is still investigating the severity of the CVE, it would be a surprise if it was not labeled “critical.”

Although the code containing the vulnerability is in all versions of Windows, Microsoft said it is also still looking into whether all versions are exploitable.

In the meantime, it has recommended affected organizations check if they have Print Spooler running and disable it. However, this will also disable the ability to print both locally and remotely.

Record Year for Investigators in Healthcare Fraud Cases

The US authorities reportedly opened a record number of cases relating to healthcare fraud in 2020, as unscrupulous individuals tried to profit during the pandemic.

Michael Granston, deputy assistant attorney general at the Department of Justice’s Civil Division, revealed the news during the American Health Law Association’s annual meeting this week, according to Bloomberg Law.

The DoJ opened a total of 900 new cases last year, 580 of which were related to healthcare fraud, according to the report.

The numbers show the scale of the challenge facing private insurers and the US government’s national health insurance program Medicare.

Fraud schemes can take many forms, including staged accidents, billing for services not rendered, unnecessary prescriptions and/or medical devices, and fraudulent use of stolen patient and doctor identities.

Schemes sometimes involve multiple parties, including unscrupulous doctors and clinics. The growth of telemedicine during the pandemic appears to have driven a new surge in fraud, as it’s easier to fake consultations and prescriptions when patients aren’t physically coming into clinics.

In April 2021, a Florida man was sentenced to a decade behind bars for his role in a $3.3 million conspiracy to defraud Medicare by issuing claims for expensive genetic cancer testing that patients didn’t need.

That scheme involved the participation of unscrupulous telemedicine companies and testing laboratories. The former were paid bribes by the guilty man to have doctors authorize the unnecessary tests, while the latter paid him kickbacks for the extra business for their labs.

A separate fraud conspiracy was revealed last year involving former NFL players who submitted millions in claims for expensive medical equipment, including hyperbaric oxygen chambers, that was never purchased or received.

The DoJ claimed earlier this year to have recovered over $2.2 billion in settlements and judgments under the False Claims Act in fiscal year 2020.

According to Granston, the focus for investigators is now on those misusing electronic health records, improperly claiming COVID-19 relief funds, targeting Medicare’s managed care program, defrauding senior citizens and contributing to the opioid epidemic.


Smart Home Experiences Over 12,000 Cyber-Attacks in a Week

‘Smart homes’ could experience more than 12,000 cyber-attacks in a single week, according to a new investigation by Which?

The consumer group partnered with NCC Group and the Global Cyber Alliance (GCA) to conduct the experiment, in which a home was filled with numerous IoT devices, including TVs, thermostats and smart security systems. They then analyzed the number of attempted hacks that took place over several weeks.

Which? revealed a “breathtaking” amount of hacks and unknown scanning attacks targeting these devices, rising to 12,807 unique scans/hacks during a single week in June. In this week, the most common method used was attempting to log in to the devices through weak default usernames and passwords, such as ‘admin.’ There was a total of 2435 specific attempts to maliciously log into devices in this way, equating to 14 per hour.

Encouragingly, most of the devices withstood the attacks, although a wireless camera from Amazon was hacked, which allowed a malicious actor to spy on the home. The device, the ieGeek security camera, has since been removed from sale from Amazon’s website following the study.

Surprisingly, an Epson printer was the most frequently targeted device in the house, but attacks failed as it had “reasonably strong default passwords in place.” According to the researchers, having unique default passwords also protected a Yale security system and a Samsung smart TV from attacks.

The analysis found that the hacking attempts took place from a range of locations across the world, with the vast majority originating from the USA, India, China and the Netherlands.

Which? commented: “While it was shocking to see how many hacking attempts were detected in our smart home, it was reassuring to see how many of them failed. But it’s important to shop carefully for any devices that can be connected to the internet, so you don’t put yourself at risk.”

The findings have come amid mounting concerns about the security of IoT devices, which are becoming increasingly prevalent in homes throughout the world.

In response to this, new security obligations have been imposed upon smart device manufacturers in many countries, including the UK. These include banning weak default passwords.

Commenting on the Which? investigation, Fennel Aurora, security advisor at F-Secure, said: “Unfortunately, these “spray and pray” attacks continue to be used because they are effective. For decades, and still today, we have seen the tried-and-true approach of sending a few million spam emails or scanning the whole internet for old and badly configured Windows machines – which remains extraordinarily profitable for attackers. As technology advances, the same approach is adapted to new targets, so for many years now we see the same technique of scanning for misconfigured cloud resources and vulnerable IoT devices, like in this instance.”

Modern adversaries are continually automating their techniques, tactics, and procedures (TTPs) to evade defenses. To keep up, it makes sense that enterprise security teams should also be able to automate their response to the latest threats and identify ongoing campaigns in their environment. Machine-learning and rules-based detections capture unusual behaviors and common threats. However, they often require new agent logic, and updating your entire fleet to the latest agent to stop a new threat may not always be possible. Similarly, with EDR data producing millions or even billions of events a day, security teams need a way to look for the interesting behavioral and static indicators of compromise (IOCs) that might indicate a zero-day attack. While robust EDR data helps investigations, it may prove too noisy for useful alerting or discovering unusual behaviors.

Singularity ActiveEDRR provides advanced detection capabilities, best in class visibility, and allows the end user to write custom detection rules that address new threats or targeted threats specific to their industry or organization with Storyline Active Response (STAR)TM.

STAR lets enterprises incorporate custom detection logic and immediately push it out to their entire fleet, or a subset, to either kill any matching process or alert on it for further investigation. STAR can alleviate SOC burden as it can be used as a powerful policy enforcement tool, automatically mitigating threats and quarantining endpoints.

STAR can also add a new layer between threats and EDR data that can alert on a subset of interesting events instead of the entire dataset. This data can be easily consumed into a SIEM, bringing down the cost of using EDR data in a SIEM while making sure that no interesting events slip by.

How STAR Works

ActiveEDR comes with a default set of behavioral detection rules created by high-level research teams and provides endpoint protection from day one. SentinelOne enables customers to leverage these insights with STAR. With STAR custom detection rules, SOC teams can turn queries from Deep Visibility, SentinelOne’s EDR data collection and querying mechanism, into automated hunting rules that trigger alerts and responses when rules detect matches. STAR also allows users an automated way to look at every endpoint event collected across their entire fleet and evaluate each of those events against a list of rules.

Create a STAR Rule In Four Steps

Write a query in Deep Visibility or create a new custom rule.
Add an event condition.
Designate response actions.
Save the Rule.

STAR allows users an automated way to look at every endpoint event collected across the organization in real-time and evaluate each of those events against a list of rules.

STAR evaluates every endpoint event collected against every STAR rule. For large enterprises, STAR evaluates each event, in a stream of a billion daily events, against up to 1,000 STAR rules. It does this by working with Deep Visibility, which collects billions of events a day, so many that it detected every step of the 176-step attack in the latest MITRE test. STAR leverages that industry-leading technology and query language to write criteria that determine, in near real-time, if a collected event is part of a threat or is suspicious.

What makes STAR invaluable is the set of response tools it puts in the users’ hands when an event matches its criteria. The engine not only integrates with Deep Visibility but also with the agent. By checking a box when creating a rule, the analyst can enable STAR to kill any process that matches a STAR rule. By checking a different box, the user can enable STAR to automatically quarantine any device that sees a matching event. Rules can also be written to detect suspicious events and alert on them, allowing the users to then consume those alerts in the UI or via Syslog for further analysis in a SIEM.

Key STAR Use Cases

STAR has two main functions within a SOC, and most customers find value in both.

Mitigate new and emerging zero-day threats
No SOC Analyst wants to depend entirely on a vendor to protect from bleeding-edge attacks or novel threats emerging in niche locations or industries. As soon as they see a new threat emerge, analysts want the ability to write a rule that will detect and prevent that threat. Teams deeply value having the power to write their policy when they need to. STAR allows users to write rules that look for highly specific threats to their environment and automatically kill those threats.

The screenshot below shows an example of a STAR rule to detect Hafnium Exchange zero-day threat.

Augment SIEM data with low volume, high-value telemetry
STAR allows users to generate new data points, highlighting suspicious behavior in their environment for automated cross-correlation in a SIEM or manual investigation. Security teams also find data to be invaluable. SentinelOne has quickly become known for its industry-leading EDR visibility and longer default retention. STAR builds on that story with the ability to generate alerts on almost anything. Customers leverage that data via UI, API, and Syslog to stitch together complicated attacks and shut them down.

The following screenshot shows an example of a STAR rule to find a compromised computer using FTP to exfiltrate data.

SentinelOne Storyline Active Response (STAR)
Customize EDR to adapt to your environment


You can stay ahead of adversaries by customizing and automating detection rules that fit your business and environment with STAR.

With SentinelOne Storyline Active Response, you can proactively monitor and respond to incoming threat intelligence by turning queries into automated hunting rules. STAR is easy to use, powerful, and flexible thanks to Deep Visibility’s intuitive query language with regular expression support for complex queries.

We built STAR to enable your SOC team to react faster and more effectively. Whether you need to mitigate new and emerging zero-day threats with custom detection rules, augment SIEM and Data lake data with low volume, high-value telemetry, trigger automated workflows, or automate your threat hunting queries, SentinelOne Storyline Active Response has you covered.

If you would like to learn more about STAR and the SentinelOne XDR platform, contact us for more information or request a free demo.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Securing the Enterprise – “I Thought We Had That Configured?”
12 Things To Know About macOS Monterey and Security
Securing Hybrid Cloud Containerized Workloads in AWS ECS Anywhere
5 Questions to Consider Before Choosing the Right XDR Solution
When Apple Admits macOS Malware Is A Problem – It’s Time To Take Notice
SentinelOne is a Leader in the 2021 Gartner Magic Quadrant. Here’s Why.
XDR Data Retention | Making Sure Your XDR Platform Outlasts Your Adversaries
The Hunt For The Right Security Solution
MITRE ATT&CK Engenuity: AI & Big Data Powered EDR > Human Powered Products
Why XDR Vendors Must Build, Buy, and Partner