Security News > 2024 > April > Russian hackers’ custom tool exploits old Windows Print Spooler flaw (CVE-2022-38028)
For nearly four years and perhaps even longer, Forest Blizzard has been using a custom tool that exploits a specific vulnerability in Windows Print Spooler service.
Dubbed GooseEgg, the tool is a launcher application that can spawn other applications with SYSTEM-level permissions, thus helping the hackers to perform remote code execution, install backdoors, steal credentials, and more.
"Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations," Microsoft threat analysts have shared on Monday.
Microsoft's analysts say that the hackers have been using GooseEgg "Since at least June 2020 and possibly as early as April 2019." This means that CVE-2022-38028, the vulnerability it exploits, was a zero-day when Microsoft patched it in October 2022.
In any case, Microsoft explains how the GooseEgg tool - typically deployed with a batch script - invokes the GooseEgg executable and achieves persistence as a scheduled task.
Vulnerabilities in the Windows Print Spooler service are often exploited by attackers, and this is the main reason why Microsoft is working on supplanting it with Windows Protected Print Mode.
News URL
https://www.helpnetsecurity.com/2024/04/23/cve-2022-38028-exploits/
Related news
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Firefox and Windows zero-days exploited by Russian RomCom hackers (source)
- Russian hackers deliver malicious RDP configuration files to thousands (source)
- How a Windows zero-day was exploited in the wild for months (CVE-2024-43451) (source)
- High-Severity Flaw in PostgreSQL Allows Hackers to Exploit Environment Variables (source)
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign (source)
- Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia (source)
- Faraway Russian hackers breached US organization via Wi-Fi (source)
- RomCom hackers chained Firefox and Windows zero-days to deliver backdoor (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-10-11 | CVE-2022-38028 | Unspecified vulnerability in Microsoft products Windows Print Spooler Elevation of Privilege Vulnerability | 0.0 |