A state-level actor, suspected to be from Russia and known as APT28 or Forest Blizzard, has been using malware known as GooseEgg to exploit a vulnerability within the Windows Print Spooler service.
A patch for this flaw, CVE-2022-38028, was issued back in October 2022 when it was under active exploitation. It was reported to Microsoft at that time by the NSA.
Microsoft issued an advisory about this, but has made no mention of the fact that it is under exploitation.
Satnam Narang, senior staff research engineer at security firm Tenable, said in an FAQ that CVE-2022-38028 was an elevation of privilege vulnerability used as part of post-compromise activity.
{loadposition sam08}"In this instance, malware called GooseEgg was used to exploit this flaw to elevate privileges, which could enable attackers to install additional malware like a backdoor or they could use these elevated privileges to perform lateral movement through the network to discover other systems that hold more sensitive information," he said.
In response to a query as to the extent of the attacks, given that a patch had been issued in October 2022, Narang said: "Based on publicly available information, it appears that exploitation of CVE-2022-38028 has been linked to the Russia-based threat actor known as APT28 or Forest Blizzard.
"Attacks conducted by APT groups such as APT28 are targeted in nature because their goals are often more rooted in espionage/intelligence gathering, whereas ransomware groups are purely financially motivated.
"We do not have any other indications that CVE-2022-38028 has been exploited by other threat actors at this time.
"Organisations that have yet to apply the available patches for Print Spooler flaws like CVE-2022-38028 and PrintNightmare related vulnerabilities (CVE-2021-34527, CVE-2021-1675) should do so as soon as possible to thwart possible future exploitation by APT28 or other threat actors."
Asked what was notable about a nation-backed APT using a known vulnerability, Narang said historically APT groups were often linked to the exploitation of zero-day vulnerabilities that they often developed or purchased from exploit developers.
"However, we’ve seen a trend where APT groups will utilise publicly available exploits for known vulnerabilities because the unfortunate fact is unpatched vulnerabilities remain prevalent across many organisations," he added.
"These publicly available exploits cost nothing to procure and are often plug and play for ease of use."