Microsoft: ATP28 Exploited Windows Print Spooler Bug for several years

Microsoft has announced that the APT28 group (also known as Fancy Bear, FrozenLake, Fighting Ursa, Forest Blizzard, Pawn Storm, SnakeMackerel, Strontium, and others) used the CVE-2022-38028 vulnerability in the Windows Print Spooler to escalate privileges and steal credentials using the previously unknown tool GooseEgg. Notably, the attacks have been ongoing “at least since June 2020, possibly even since April 2019,” though the vulnerability was only fixed at the end of 2022.

The CVE-2022-38028 vulnerability was discovered by the US National Security Agency in 2022, and it was the NSA that informed Microsoft about the issue. The vulnerability was then patched in October 2022, but at that time, the company did not disclose that hackers were already exploiting the bug. It took several more years to detect the attacks.

It is now reported that malicious actors are using GooseEgg to launch and deploy additional payloads and execute various commands with SYSTEM-level privileges.

The tool is applied after compromising and exploiting CVE-2022-38028 through a Windows batch script named execute.bat or doit.bat. It runs the GooseEgg executable file and persists on the compromised system by adding a scheduled task that launches servtask.bat, a second batch script saved on the disk.

The binary accepts four commands: to issue custom return code, run an exploit, launch a DLL or executable with elevated privileges, and test the exploit and check its triggering.

According to Microsoft, the malware creates registry keys to generate a custom protocol handler and register a new CLSID, which acts as a COM server. Then, a symbolic link on the C: drive is replaced to point to a directory controlled by malicious actors containing driver packages to load the Print Spooler service.

Additionally, using GooseEgg, an embedded-DLL is loaded in the context of the Print Spooler service with SYSTEM privileges, sometimes referred to as wayzgoose23.dll. This DLL acts as an application launcher that can execute other payloads with SYSTEM-level permissions, allowing attackers to install backdoors, move through victim networks, and execute remote code on compromised systems.

“Microsoft has observed Forest Blizzard using GooseEgg for post-exploitation against targets, including Ukrainian, Western European, and North American governmental, non-governmental, educational, and transportation organizations,” Microsoft writes. “Although GooseEgg is a basic launcher, it is capable of spawning other applications with elevated privileges, enabling malicious actors to achieve further objectives such as remote code execution, installation of backdoors, and movement across compromised networks.”

Microsoft has urged customers to apply the patch for the CVE-2022-38028 vulnerability released in 2022, as well as fixes for a series of vulnerabilities known under the umbrella term PrintNightmare, which were addressed in 2021 if they have not done so yet. The company also recommends disabling the Print Spooler on domain controllers, as this service is not required for their operation.

0 / 5

Your page rank:

Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment