Microsoft has identified a tool used by Russian hackers in order to help them to install backdoors and move across compromised networks.
The tech giant said that since at least June 2020 - and maybe even as long ago as April 2019 - the Russian hacking group it calls ‘Forest Blizzard’ has used the tool to exploit a vulnerability in Windows Print Spooler service.
Microsoft said the tool, which it has dubbed ‘GooseEgg’, is being used against targets including governments, education institutions, and transport firms in Ukraine, Western European, and North America.
The tool exploits the CVE-2022-38028 flaw by modifying a JavaScript constraints file and executing it with system-level permissions. The flaw was patched by Microsoft in October last (it appears Microsoft was alerted to the flaw by the US National Security Agency).
Microsoft said that when deploying GooseEgg, attackers are trying to gain elevated access to target systems and steal credentials and information.
“While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks,” the security researchers said.
Although Russian-backed hackers have been known to exploited a set of similar vulnerabilities known as PrintNightmare (CVE-2021-34527 and CVE-2021-1675), Microsoft said the use of GooseEgg in Forest Blizzard operations is a “unique discovery that had not been previously reported by security providers”.
Why is Microsoft concerned about Forest Blizzard?
Forest Blizzard, otherwise known as APT28, Sednit, Sofacy, and Fancy Bear, is most probably linked to Russia’s GRU military intelligence.
It mainly targets government, energy, transportation, and other organizations across the US, Europe, and the Middle East, but has also attacked media, tech, sports organizations, and academic institutions.
Since at least 2010, its main mission has apparently been to collect intelligence in support of Russian government foreign policy initiatives. The group should not be confused with Midnight Blizzard – aka Nobelium or APT29 – who are believed to have attacked Microsoft’s systems in January. That group is said to be linked to Russia’s SVR foreign intelligence service.
ATP28 has been linked with a number of attacks across the last decade and longer, including on the US Democratic National Committee (DNC) and the International Olympic Committee (IOC).
RELATED WHITEPAPER
In January this year, the US Department of Justice disrupted a network of hundreds of small office/home office routers that the Forest Blizzard group had been using. The botnet had been used as part of a vast spear-phishing campaign against US and foreign governments as well as military, security, and corporate targets.
Microsoft analysis shows Forest Blizzard often uses other publicly available exploits in addition to CVE-2022-38028, such as CVE-2023-23397, which it used to gain secret, unauthorized access to email accounts within Exchange servers.
“Forest Blizzard continually refines its footprint by employing new custom techniques and malware, suggesting that it is a well-resourced and well-trained group posing long-term challenges to attribution and tracking its activities,” Microsoft said late last year.
What can you do to protect against GooseEgg?
Microsoft said organizations should apply the security update to mitigate the threat, and attempt to reduce their exposure to print spooler vulnerabilities.
Microsoft released a security update for the Print Spooler vulnerability exploited by GooseEgg on October 11, 2022, and updates for PrintNightmare vulnerabilities in June and July last year.
It urged companies that have not implemented these fixes yet to do so as soon as possible to mitigate the risk of compromise.
Beyond this it said that, since the Print Spooler service isn’t required for domain controller operations, it recommends disabling the service on domain controllers.
“Otherwise, users can install available Windows security updates for Print Spooler vulnerabilities on Windows domain controllers before member servers and workstations,” Microsoft said.
-
What does modern security success look like for financial services?Sponsored As financial institutions grapple with evolving cyber threats, intensifying regulations, and the limitations of ageing IT infrastructure, the need for a resilient and forward-thinking security strategy has never been greater
-
Yes, legal AI. But what can you actually do with it? Let’s take a look…Sponsored Legal AI is a knowledge multiplier that can accelerate research, sharpen insights, and organize information, provided legal teams have confidence in its transparent and auditable application
-
CISA just published crucial new guidance on keeping Microsoft Exchange servers secureNews With a spate of attacks against Microsoft Exchange in recent years, CISA and the NSA have published crucial new guidance for organizations to shore up defenses.
-
CISA issues alert after botched Windows Server patch exposes critical flawNews A critical remote code execution flaw in Windows Server is being exploited in the wild, despite a previous 'fix'
-
Microsoft issues warning over “opportunistic” cyber criminals targeting big businessNews Microsoft has called on governments to do more to support organizations
-
A terrifying Microsoft flaw could’ve allowed hackers to compromise ‘every Entra ID tenant in the world’News The Entra ID vulnerability could have allowed full access to virtually all Azure customer accounts
-
Microsoft and Cloudflare just took down a major phishing operationNews RaccoonO365’s phishing as a service platform has risen to prominence via Telegram
-
Microsoft quietly launched an AI agent that can detect and reverse engineer malwareNews Researchers say the tool is already achieving the “gold standard” in malware classification
-
Microsoft patched a critical vulnerability in its NLWeb AI search tool – but there's no CVE (yet)News Researchers found an unauthenticated path traversal bug in the tool debuted at Microsoft Build in May
-
NCSC says ‘limited number’ of UK firms affected by SharePoint attack as global impact spreadsNews The SharePoint flaw has already had a wide impact according to reports from government security agencies
