Microsoft: Russian APT 28 exploits Windows bug with GooseEgg tool


Microsoft threat researchers have released a fix to a known vulnerability that the Russian threat group APT 28 – also known as Forrest Blizzard and Fancy Bear – has been exploiting for years with the use of a newly identified, customized malware tool dubbed GooseEgg.

Microsoft released a blog on the previously undiscovered Windows Printer Spooler service vulnerability (CVE-2022-38028) on Tuesday and said the Russian hacking group had been exploiting the flaw “to elevate privileges and steal credentials in compromised networks,” since at least at least June 2020, and possibly earlier.

APT 28 (Unit 26165) is one of the cyber operations units working under the Kremlin’s GRU – Russia’s Main Intelligence Directorate of the General Staff of the Armed Forces.

ADVERTISEMENT

Threat groups like APT28 are “notorious for sophisticated cyber-attacks on governmental and non-governmental organizations, as well as critical infrastructure worldwide,” said Dr. Howard Goodman, Technical Director at Skybox Security.

Microsoft says APT 28 has been actively “using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations.”

The tech giant claims the Russian hackers were able to deploy GooseEgg and use it to spawn other applications at the command line with elevated permissions, first by modifying a JavaScript constraints file.

Furthermore, the threat actors were able to use the malicious tool to carry out “follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks.”

Greg Fitzgerald, co-founder of cybersecurity form Sevco Security, says vulnerabilities, such as the Microsoft identified CVE-2022-38028, are often hiding in plain sight throughout a company’s IT environment, “creating a landscape of threats that security teams can’t see, but are still accountable for.”

“Security teams have become incredibly efficient at identifying and remediating CVEs, but increasingly it’s these environmental vulnerabilities – in this case within the Windows Print Spooler service, which manages printing processes – that create security gaps giving malicious actors access to data,” Fitzgerald said.

Microsoft is urging organizations to mitigate the threat caused by the simple launcher application, which can be identified by the Microsoft Defender Antivirus software as 'HackTool:Win64/GooseEgg.'

ADVERTISEMENT

The Microsoft intel blog additionally provides a link to the security fix, more technical details about the tool, as well as the tactics, techniques, and procedures (TTPs) used by APT 28 in past compromises.

Goodman explains that organizations must maintain vigilance and adapt their security strategies to effectively counteract evolving cyber threats such as this one, as well as proactively strengthen their cyber defenses.

Goodman also suggests the use of an emerging strategy in cybersecurity – Continuous Exposure Management (CEM).

The CEM strategy is considered a comprehensive approach that integrates security policy management, attack surface management, vulnerability management, and remediation automation.

“By continuously assessing, prioritizing, and mitigating threats, CEM enables organizations to effectively respond to vulnerabilities and minimize the risks of data breaches and system compromises, by safeguarding their critical data and systems, while enhancing their resilience against sophisticated cyber adversaries,” Goodman said.