Researchers at Microsoft Threat Intelligence have issued a warning that Russian state-sponsored hackers have been targeting Windows users with a custom tool used to steal credentials and even install backdoors.
APT28 Fancy Bear Hackers Behind Newly Reported Windows Attacks
The hackers, more commonly identified as APT28 or Fancy Bear but tracked by Microsoft as Forest Blizzard, are known to be affiliated with Military Unit 26165, which is part of Russia’s GRU military intelligence agency.
Microsoft said that it has seen Forest Blizzard/APT 28 using the post-exploitation tool, dubbed GooseEgg, against government, education and transport sector organizations in the U.S., Western Europe and Ukraine. “Forest Blizzard primarily focuses on strategic intelligence targets,” Microsoft said. It would appear, the Microsoft intelligence analysts said, that APT28 has been using GooseEgg since at least June 2020 and quite possibly as early as April 2019.
Unpatched Windows Vulnerabilities Lay A Golden Exploit Egg
What, in essence, appears to be a relatively simple launcher application, GooseEgg, is actually a very dangerous tool in the hands of attackers who are exploiting a long-since patched vulnerability in the Windows Print Spooler service. The vulnerability in question, CVE-2022-38028, was fixed as part of the October 2022 Patch Tuesday rollout, having been first reported by the National Security Agency. GooseEgg exploits an unpatched vulnerability by “modifying a JavaScript constraints file and executing it with SYSTEM-level permissions,” Microsoft said. The extent to which GooseEgg can aid the Russian hackers was laid bare by the Microsoft Threat Intelligence report: “GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks.”
How To Mitigate The GooseEgg Attacks
Once again, this active cyber-espionage campaign by state-sponsored hackers highlights the importance of patching vulnerabilities as soon as possible. In addition to the CVE-2022-38028 Windows Print Spooler vulnerability, GooseEgg can also be used alongside exploits for PrintNightmare, which was first disclosed in 2021. Additional vulnerabilities known to have been targeted by the APT28 hackers include CVE-2023-23397, CVE-2021-34527 and CVE-2021-1675.
Microsoft urges organizations and users to apply the CVE-2022-38028 security update to mitigate this attack. It notes that Microsoft Defender Antivirus detects the specific Forest Blizzard capability as HackTool:Win64/GooseEgg.