Recent Exploits of a Windows Print Spooler Vulnerability Has Been Spotted In The Wild.

Enterprise Security Magazine | Tuesday, May 17, 2022

A security flaw in the Windows Print Spooler component that was patched by Microsoft in February is being actively exploited in the wild, the U.S. Cybersecurity and Infrastructure Security Agency have warned.

FREMONT, CA: The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that a security defect in the Windows Print Spooler component, which was patched by Microsoft in February, is being actively abused in the wild. For that purpose, the agency has added the flaw to its Known Exploited Vulnerabilities Catalog, requiring FCEB agencies to fix the problems by May 10, 2022. The security flaw, identified as CVE-2022-22718, is one of four privilege escalation flaws in the Print Spooler that Microsoft fixed as part of their Patch Tuesday updates on February 8, 2022. It's worth mentioning that since the severe PrintNightmare remote code execution vulnerability was discovered last year, Microsoft has patched several Print Spooler problems, including 15 elevations of privilege vulnerabilities in April 2022.

The nature of the attacks and the identity of the threat actors who may be abusing the Print Spooler flaw is unclear to avoid further exploitation by hacker teams. When the patches were released two months ago, Microsoft assigned the tag "exploitation more likely."

The list has been updated with two additional security issues based on "evidence of active exploitation"- CVE-2018-6882 (CVSS rating: 6.1) - Cross-Site Scripting (XSS) vulnerability in Zimbra Collaboration Suite (ZCS). The CVSS score for CVE-2019-3568 is 9.8 - it is a vulnerability in WhatsApp's VoIP stack buffer.

CVE-2018-6882 was added just days after the Computer Emergency Response Team of Ukraine (CERT-UA) issued an advisory warning of phishing attempts targeting government bodies with the intention of forwarding victims' emails to a third-party email account using the Zimbra vulnerability.  UAC-0097 was identified as the source of the targeted intrusions, according to CERT-UA. In light of real-world attacks that exploit vulnerabilities, organisations should "prioritise fast remediation as part of their vulnerability management process," according to the report.

Weekly Brief