Tenable Comment: CVE-2022-38028: GooseEgg EoP Exploit
Posted: Wednesday, Apr 24

i 3 Table of Contents

Tenable Comment: CVE-2022-38028: GooseEgg EoP Exploit

The Russia-based threat actor, known as APT28 or Forest Blizzard, has recently been exploiting a vulnerability known as CVE-2022-38028 within the Windows Print Spooler service using a malware called GooseEgg. CVE-2022-38028 represents an elevation of privilege vulnerability which could enable attackers to install additional malware like a backdoor or they could use these elevated privileges to perform lateral movement through the network to discover other systems that hold more sensitive information.

Organisations that have not yet applied patches for Print Spooler vulnerabilities, including CVE-2022-38028, as well as related vulnerabilities like CVE-2021-34527 and CVE-2021-1675 (PrintNightmare), are urged to do so promptly. This action is essential to mitigate the risk of potential future exploitation by APT28 or other malicious actors.

Below is a FAQ attributable to Satnam Narang, sr. staff research engineer at Tenable:

What are the consequences of the exploitation of CVE-2022-38028?

CVE-2022-38028 is an elevation of privilege vulnerability that is used as part of post-compromise activity. In this instance, malware called GooseEgg was used to exploit this flaw to elevate privileges, which could enable attackers to install additional malware like a backdoor or they could use these elevated privileges to perform lateral movement through the network to discover other systems that hold more sensitive information.

Print Spooler was patched over a year ago, how wide-scale could these attacks be?

Based on publicly available information, it appears that exploitation of CVE-2022-38028 has been linked to the Russia-based threat actor known as APT28 or Forest Blizzard. Attacks conducted by APT groups such as APT28 are targeted in nature because their goals are often more rooted in espionage/intelligence gathering, whereas ransomware groups are purely financially motivated. We do not have any other indications that CVE-2022-38028 has been exploited by other threat actors at this time. Organisations that have yet to apply the available patches for Print Spooler flaws like CVE-2022-38028 and PrintNightmare related vulnerabilities (CVE-2021-34527, CVE-2021-1675) should do so as soon as possible to thwart possible future exploitation by APT28 or other threat actors.

What is notable about a nation-backed APT using a known vulnerability?

Historically, APT groups were often linked to the exploitation of zero-day vulnerabilities that they often developed or purchased from exploit developers. However, we’ve seen a trend where APT groups will utilise publicly available exploits for known vulnerabilities because the unfortunate fact is unpatched vulnerabilities remain prevalent across many organisations. These publicly available exploits cost nothing to procure and are often plug and play for ease of use.

Tenable
Today, more than 40,000 organizations around the world rely on Tenable to help them understand and reduce cybersecurity risk across their attack surface — in the cloud or on-premises, from IT to OT and beyond. Our goal is to arm every organization, no matter how large or small, with the visibility and insight needed to answer four critical questions at all times: Where are we exposed? Where should we prioritize based on risk? Are we reducing our exposure over time? How do we compare to our peers?
Share This