Let’s talk about this in a way that everyone can understand. All non-technical users. Anyone wanting to learn a bit more about security breaches or exploits that come up. If you’re working with Skycomp Solutions Inc. We’ve already delt with these exploits.
If you’re wondering what an ‘exploit’ is:
A computer exploit, or exploit, is an attack on a computer system, especially one that takes advantage of a particular vulnerability the system offers to intruders. Now this is exploit is named ‘Print Nightmare’ so we all assume it has something to do with your printer, just unplug the printer right? That will stop them, right?
It gets a bit more complicated than that. At Skycomp we are lucky enough to have two highly skilled technical minds that saw this problem coming, wrote a script to stop the exploit in its tracks and rolled it out on all our client’s systems! Take that hackers!
So how could someone access your private company servers and data because of a printer?
Well, the truth is, its not really because of the physical printer sitting in your office. Its because of the print spooler. This is a windows service that in its original default settings enable on all machines and servers. This print spooler manages printing to your office space. If someone needs to print remotely, or from the office, it receives files ques them and schedules them.
The way hackers were getting in was very sneaky. The print spooler has a driver, this driver allows different machines/computers to add any files as printer files and load them into the system.
It’s originally designed to allow users to update printers remotely. But this has allowed for any user to upload random drivers and exploits. No authentication or validation needed.
Now we are starting to understand why it called a nightmare.
If you’re IT department hasn’t brought this up with you yet, you should go to them with this article, they would know what to do! But if your organization hasn’t done anything to prevent these measures yet, a good first step would be to disable any Windows Print Spooler service running on a domain controller.
A “Domain Controller” is a server that responds to authentication requests and verifies users are who they say they are on computer networks.
So, What did Skycomp’s Team do to prevent the exploit?
There was a team assembled to manually install patches,
Before we get into this, you’ll notice different acronyms. Information Technology or (IT) uses a lot of different acronyms to help conversations go quickly and work to be more efficient. This doesn’t help the everyday person to gain the knowledge they are looking for. Our team is going to translate the technical jargon so you can understand the process.
The Timeline: Resolving an Exploit Takes Time – our Team worked quickly to ensure our clients were safe.
Exploit Released by Microsoft on: July 1st, 2021
Day One: Early July 2nd
Microsoft released the CVE (Common Vulnerabilities and Exposures) This is a digital report the Microsoft provided to explain to all IT administrators and users the exploit and possible solutions for it to be resolved.
Tim and Marc jumped into action and tested various PowerShell commands to confirm if any devices are sharing a printer. “Powershell” allows our team to create a script for automating management systems. This allows us to search for the exploit across multiple machines and servers with a few clicks instead of a few thousand clicks.
Tim and Marc also ran commands against local systems and tested on non-production servers to validate the result.
Translation: Using PowerShell, we typed in code that tested our local systems and servers that aren’t in use to make sure that the patch and update worked, and the print spooler couldn’t be accessed by external devices.
Created a search – similarly when you filter search results when shopping online for that perfect price point. We created a search filter that looked at all managed clients and located all servers that were NOT sharing printers.
A “Script” or list of commands was scheduled to be run against these systems to disable the Print Spooler service just after 5pm.
This would keep all these exploited devices safe from hackers.
The Trouble with the Print Spooler and What makes this so complicated:
The print spooler controls your printer entirly. So, shutting the print spooler off on all machines is not possible, or else everyone showing up to work wouldn’t be able to print anything. Even though we do live in a digital world and maybe you don’t print often, even the ‘print to pdf’ option wouldn’t be available. So, our team spent the time working around, finding technical backend solutions to the problem without having to shutdown printing in an office for the day.
Wednesday July 7th
Matt a technician on our team shared links to the updated documents by Microsoft.
Our team learned that only some versions of Windows have patches ready that would resolve the exploit issues and were ready to apply. Marc tested on local computer, already had the patch from auto Windows updates. Tested on non-production server to confirm process.
Marc created searches in Automate to locate systems based on if Spooler is running or not, and whether it is servers or all systems. These could be used in scripts to reverse the initial steps, or search for which systems to update.
Translation:
Windows updates that Auto-update on most systems resolved some of the issues, but not all, servers and other systems didn't update. Because we are a Managed Service Provider we can see on every organizations system if the update actually happened, and make sure that your system is up to date.
Long story short: All our clients systems have been protected from the Print Nightmare hack. Isn't it nice having managed services?
We think so! Read more about other hacks that happened in the past year!