Security News > 2024 > April > Russian hackers’ custom tool exploits old Windows Print Spooler flaw (CVE-2022-38028)
For nearly four years and perhaps even longer, Forest Blizzard has been using a custom tool that exploits a specific vulnerability in Windows Print Spooler service.
Dubbed GooseEgg, the tool is a launcher application that can spawn other applications with SYSTEM-level permissions, thus helping the hackers to perform remote code execution, install backdoors, steal credentials, and more.
"Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations," Microsoft threat analysts have shared on Monday.
Microsoft's analysts say that the hackers have been using GooseEgg "Since at least June 2020 and possibly as early as April 2019." This means that CVE-2022-38028, the vulnerability it exploits, was a zero-day when Microsoft patched it in October 2022.
In any case, Microsoft explains how the GooseEgg tool - typically deployed with a batch script - invokes the GooseEgg executable and achieves persistence as a scheduled task.
Vulnerabilities in the Windows Print Spooler service are often exploited by attackers, and this is the main reason why Microsoft is working on supplanting it with Windows Protected Print Mode.
News URL
https://www.helpnetsecurity.com/2024/04/23/cve-2022-38028-exploits/
Related news
- Firefox and Windows zero-days exploited by Russian RomCom hackers (source)
- Faraway Russian hackers breached US organization via Wi-Fi (source)
- RomCom hackers chained Firefox and Windows zero-days to deliver backdoor (source)
- RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks (source)
- Hackers exploit critical bug in Array Networks SSL VPN products (source)
- APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Campaign (source)
- Hackers exploit ProjectSend flaw to backdoor exposed servers (source)
- Wanted Russian Hacker Linked to Hive and LockBit Ransomware Arrested (source)
- North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-10-11 | CVE-2022-38028 | Unspecified vulnerability in Microsoft products Windows Print Spooler Elevation of Privilege Vulnerability | 0.0 |