The Russia-based threat actor, known as APT28 or Forest Blizzard, has recently been exploiting a vulnerability known as CVE-2022-38028 within the Windows Print Spooler service using a malware called GooseEgg. CVE-2022-38028 represents an elevation of privilege vulnerability which could enable attackers to install additional malware like a backdoor or they could use these elevated privileges to perform lateral movement through the network to discover other systems that hold more sensitive information.
Organisations that have not yet applied patches for Print Spooler vulnerabilities, including CVE-2022-38028, as well as related vulnerabilities like CVE-2021-34527 and CVE-2021-1675 (PrintNightmare), are urged to do so promptly. This action is essential to mitigate the risk of potential future exploitation by APT28 or other malicious actors.
Below is a FAQ attributable to Satnam Narang, sr. staff research engineer at Tenable:
What are the consequences of the exploitation of CVE-2022-38028?
CVE-2022-38028 is an elevation of privilege vulnerability that is used as part of post-compromise activity. In this instance, malware called GooseEgg was used to exploit this flaw to elevate privileges, which could enable attackers to install additional malware like a backdoor or they could use these elevated privileges to perform lateral movement through the network to discover other systems that hold more sensitive information.
Print Spooler was patched over a year ago, how wide-scale could these attacks be?
Based on publicly available information, it appears that exploitation of CVE-2022-38028 has been linked to the Russia-based threat actor known as APT28 or Forest Blizzard. Attacks conducted by APT groups such as APT28 are targeted in nature because their goals are often more rooted in espionage/intelligence gathering, whereas ransomware groups are purely financially motivated. We do not have any other indications that CVE-2022-38028 has been exploited by other threat actors at this time. Organisations that have yet to apply the available patches for Print Spooler flaws like CVE-2022-38028 and PrintNightmare related vulnerabilities (CVE-2021-34527, CVE-2021-1675) should do so as soon as possible to thwart possible future exploitation by APT28 or other threat actors.
What is notable about a nation-backed APT using a known vulnerability?
Historically, APT groups were often linked to the exploitation of zero-day vulnerabilities that they often developed or purchased from exploit developers. However, weโve seen a trend where APT groups will utilise publicly available exploits for known vulnerabilities because the unfortunate fact is unpatched vulnerabilities remain prevalent across many organisations. These publicly available exploits cost nothing to procure and are often plug and play for ease of use.