A Russia-based threat actor, known as APT28 or Forest Blizzard, has recently been exploiting a vulnerability, CVE-2022-38028 , within the Windows Print Spooler service using malware called GooseEgg.
“CVE-2022-38028 is an elevation of privilege vulnerability that is used as part of post-compromise activity,” said Satnam Narang, Senior Staff Research Engineer at Tenable. “In this instance, malware called GooseEgg was used to exploit this flaw to elevate privileges, which could enable attackers to install additional malware like a backdoor, or they could use these elevated privileges to perform lateral movement through the network to discover other systems that hold more sensitive information.”
Narang says attacks conducted by APT groups such as APT28 are frequently targeted because their goals are often more rooted in espionage/intelligence gathering, whereas ransomware groups are purely financially motivated. “We do not have any other indications that CVE-2022-38028 has been exploited by other threat actors at this time,” he said.
“Historically, APT groups were often linked to the exploitation of zero-day vulnerabilities that they often developed or purchased from exploit developers,” added Narang. However, we’ve seen a trend where APT groups will utilise publicly available exploits for known vulnerabilities because the unfortunate fact is unpatched vulnerabilities remain prevalent across many organisations. These publicly available exploits cost nothing to procure and are often plug-and-play for ease of use.”
Narang urges organisations that have not yet applied patches for Print Spooler vulnerabilities, including CVE-2022-38028, as well as related vulnerabilities like CVE-2021-34527 and CVE-2021-1675 (PrintNightmare), to do so promptly. He says this action is essential to mitigate the risk of potential future exploitation by APT28 or other malicious actors.
