TeamHood 
Microsoft has shared the mitigations for the Print Spooler vulnerability which is also known as PrintNightmare.
The remote code execution (RCE) bug—now tracked as CVE-2021-34527—impacts all versions of Windows as per Microsoft. MS is still investigating if the vulnerability is exploitable on all of the windows operating systems.
CVE-2021-34527 allows attackers to take over affected servers via remote code execution with SYSTEM privileges as it enables them to install programs, view, change, or delete data, and create new accounts with full user rights.
The company added in a newly released security advisory that PrintNightmare has already been exploited in the wild. Microsoft didn’t share who is behind the detected exploitation (threat actors or security researchers).
Microsoft says attackers are actively exploiting the PrintNightmare zero-day.
At the moment, there are no security updates available to address the PrintNightmare zero-day.
Microsoft also removed the confusion surrounding the bug by saying that “similar but distinct from the vulnerability that is assigned CVE-2021-1675,” which was patched in June.
Mitigation Steps
Microsoft didn’t released security updates to address this flaw but it provides mitigation measures to block attackers from taking over vulnerable systems.
The available options include disabling the Print Spooler service to remove printing capability locally and remotely, or disabling inbound remote printing through Group Policy to remove remote attack vector by blocking inbound remote printing operations.
Option 1 – Disable the Print Spooler service
If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Option 2 – Disable inbound remote printing through Group Policy
You can also configure the settings via Group Policy as follows: Computer Configuration / Administrative Templates / Printers
Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
Team hood is still looking for the any IOC’s or SIEM Monitoring events which can be used to track this attack.
Update : On July 6th 2021 Microsoft has released an Emergency Patch for PrintNightmare Vulnerability.
