Microsoft warns about actively abused vulnerability in Windows Print Spooler service

Microsoft has warned about a Russian state actor exploiting a Print Spooler vulnerability with a tool called GooseEgg.

Microsoft has published a report about what it assumesd is a Russian state-sponsored attacker using a custom tool to exploit a vulnerability in Windows Print Spooler.

The vulnerability, listed as CVE-2022-38028, was patched in October 2022, while the world was waiting for Microsoft to patch the ProxyNotShell vulnerabilities in Exchange. So, it may have gone unnoticed for that reason. The vulnerability was reported to Microsoft by the National Security Agency (NSA) as a zero-day.

A widely accepted definition for a zero-day is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, such as the software vendor. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, computers or a network.

The custom tool is attributed to APT28 (aka Forest Blizzard or Fancy Bear), a group that is part of Russia’s Main Intelligence Directorate of the General Staff (GRU). The tool has been dubbed GooseEgg and it works by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions. JavaScript constraints can be used to augment PrintCapabilities, validate PrintTickets and handle the conversion of PrintTicket.

According to Microsoft the exploitation of the vulnerability has been going on for years and is mainly used against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations.

GooseEgg is used as a second-stage part of attacks on already compromised systems to gain SYSTEM-level permissions. It’s basically a batch script that can be used to download and install other malware. Aligned with the usual modus operandi of the Fancy Bear group it uses the malware to collect intelligence in support of Russian government foreign policy initiatives. So, GooseEgg’s main use is to steal credentials and information.

Another vulnerability that Microsoft says it’s seen in combination with GooseEgg is CVE-2023-23397, a Microsoft Outlook Elevation of Privilege (EoP) vulnerability, patched in March 2023.

Timeline:

  • Use of GooseEgg started before June 2020, possibly as early as April 2019.
  • NSA reported the vulnerability to Microsoft.
  • A patch was made available in October 2022.
  • At the time of writing, Microsoft has yet to update the vulnerability’s advisory to “Actively Exploited”.

Microsoft has seen Fancy Bear targeting media organizations, information technology companies, sports organizations, and educational institutions. Some of which may be done with an eye on upcoming European and US elections.

Mitigation

Microsoft urges customers who have not implemented these fixes yet to do so as soon as possible for their organization’s security.