[German]The old print spooler vulnerability CVE-2022-38028 in Windows is probably the preferred target of the Russian hacker group Fancy Bear. This was revealed by Microsoft's analysis of an attack tool ('GooseEgg' malware). However, this attack vector can no longer be exploited on currently patched Windows operating systems, as Microsoft revealed in a blog post.
Advertising
Analysis of the GooseEgg malware
The Microsoft Threat Intelligence security team has spent years studying the activities of the Russian-based threat actor Forest Blizzard (STRONTIUM). This hacker group, which must be based in the intelligence community (GRU), has developed its own tool called 'GooseEgg' to attack Windows systems and then elevate privileges on networks, steal credentials and further penetrate the IT infrastructure.
According to the Microsoft blog post Analyzing Forest Blizzard's custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials from April 22, 2024, the Forest Blizzard group has been using the GooseEgg tool for its attacks since at least June 2020 (possibly as early as April 2019). The tool attacks the vulnerability CVE-2022-38028 in the Windows Print Spooler service via a JavaScript constraints file by modifying this JavaScript restriction file and then executing it with SYSTEM-level privileges.
Microsoft observed activity by Forest Blizzard in which GooseEgg was used as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, educational, and transportation organizations. Although GooseEgg is a simple launcher, it can launch other applications specified on the command line with elevated privileges. This allows attackers to target additional objectives, such as remote code execution, backdoor installation, and lateral movement through compromised networks.
GooseEgg is usually deployed via batch script (execute.bat or doit.bat). This batch script writes the file servtask.bat, which contains commands to save/compress registry hives, and then calls the GooseEgg executable to permanently set itself up as a scheduled task servtask.bat.
The GooseEgg binary – which contains the file names justice.exe and DefragmentSrv.exe, among others – executes one of four commands, each of which has a different execution path. Microsoft describes the commands in question and assumes that this is intended to conceal the activity of the malware. A subdirectory is then created from a list of innocuous names (Microsoft, ESET, etc.), into which the following binary data from the Printer Driver Store is then copied.
Advertising
- C:\Windows\System32\DriverStore\FileRepository\pnms003.inf_*
- C:\Windows\System32\DriverStore\FileRepository\pnms009.inf_*
Next, registry keys are created that effectively create a custom protocol handler and register a new CLSID that serves as a COM server for this "malicious" protocol. The exploit replaces the symbolic link of the C: drive in the object manager and points to the newly created directory. If the PrintSpooler tries to load a driver,
C:\Windows\System32\DriverStore\FileRepository\pnms009.inf_amd64_a7412a554c9bc1fd\MPDW-Constraints.js
it is instead redirected to the directory controlled by the actor, which contains the copied driver packages. Through further steps described by Microsoft, the attackers attempt to gain increased system authorizations in order to spread throughout the system.
Protection against CVE-2022-38028
Microsoft released a security update for the Print Spooler vulnerability exploited by GooseEgg on October 11, 2022 and updates for the PrintNightmare vulnerabilities on June 8, 2021 and July 1, 2021. Anyone who has installed the patches is no longer vulnerable – if the patches are missing, administrators should install them as soon as possible.
As the Print Spooler service is not required for the operation of domain controllers, Microsoft also recommends disabling the service on domain controllers. Otherwise, users can install available Windows security updates for print spooler vulnerabilities on Windows domain controllers before member servers and workstations. To identify domain controllers on which the print spooler service is enabled, Microsoft Defender for Identity has a built-in security assessment that tracks the availability of print spooler services on domain controllers. Further details can be found in the linked Microsoft article.
Advertising
