Security News > 2024 > April > Russian hackers’ custom tool exploits old Windows Print Spooler flaw (CVE-2022-38028)

For nearly four years and perhaps even longer, Forest Blizzard has been using a custom tool that exploits a specific vulnerability in Windows Print Spooler service.

Dubbed GooseEgg, the tool is a launcher application that can spawn other applications with SYSTEM-level permissions, thus helping the hackers to perform remote code execution, install backdoors, steal credentials, and more.

"Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations," Microsoft threat analysts have shared on Monday.

Microsoft's analysts say that the hackers have been using GooseEgg "Since at least June 2020 and possibly as early as April 2019." This means that CVE-2022-38028, the vulnerability it exploits, was a zero-day when Microsoft patched it in October 2022.

In any case, Microsoft explains how the GooseEgg tool - typically deployed with a batch script - invokes the GooseEgg executable and achieves persistence as a scheduled task.

Vulnerabilities in the Windows Print Spooler service are often exploited by attackers, and this is the main reason why Microsoft is working on supplanting it with Windows Protected Print Mode.

News URL

https://www.helpnetsecurity.com/2024/04/23/cve-2022-38028-exploits/