CISA Catalogs Microsoft Windows Print Spooler Flaw Exploited by APT28

April 25, 2024

The Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. has recently incorporated the Microsoft Windows Print Spooler Privilege Escalation vulnerability, known as CVE-2022-38028, into its Known Exploited Vulnerabilities (KEV) catalog. The decision followed Microsoft's revelation that the Russia-affiliated APT28 group, also known as 'Forest Blizzard', 'Fancybear', or 'Strontium', had exploited this flaw. The group utilized a hitherto unknown tool, called GooseEgg, to exploit the CVE-2022-38028 vulnerability.

According to reports, the cyberespionage group has been leveraging the GooseEgg tool for exploitation since at least June 2020, or possibly even earlier. The tool works by altering a JavaScript constraints file and running it with SYSTEM-level permissions. APT28 has reportedly used GooseEgg in post-compromise activities against a diverse range of targets, including organizations in the government, non-governmental, education, and transportation sectors in Ukraine, Western Europe, and North America.

Despite its simplicity as a launcher application, GooseEgg has been used by threat actors to run other applications with elevated permissions as specified at the command line. In a post-exploitation scenario, this tool can be used by attackers to carry out a wide spectrum of malicious activities, including remote code execution, backdoor installation, and lateral movement through compromised networks.

The U.S. National Security Agency reported the CVE-2022-38028 vulnerability, which Microsoft addressed in the Microsoft October 2022 Patch Tuesday security updates. APT28 has used GooseEgg to secure elevated access to target systems and exfiltrate credentials and sensitive data.

In accordance with Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies must remediate the identified vulnerabilities by the stipulated deadline to safeguard their networks against attacks exploiting the cataloged flaws. Experts also advise private organizations to examine the Catalog and rectify the vulnerabilities in their infrastructure. CISA has issued a directive for federal agencies to remedy this vulnerability by May 14, 2024.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.