Microsoft has identified a tool used by Russian hackers in order to help them to install backdoors and move across compromised networks.
The tech giant said that since at least June 2020 - and maybe even as long ago as April 2019 - the Russian hacking group it calls ‘Forest Blizzard’ has used the tool to exploit a vulnerability in Windows Print Spooler service.
Microsoft said the tool, which it has dubbed ‘GooseEgg’, is being used against targets including governments, education institutions, and transport firms in Ukraine, Western European, and North America.
The tool exploits the CVE-2022-38028 flaw by modifying a JavaScript constraints file and executing it with system-level permissions. The flaw was patched by Microsoft in October last (it appears Microsoft was alerted to the flaw by the US National Security Agency).
Microsoft said that when deploying GooseEgg, attackers are trying to gain elevated access to target systems and steal credentials and information.
“While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks,” the security researchers said.
Although Russian-backed hackers have been known to exploited a set of similar vulnerabilities known as PrintNightmare (CVE-2021-34527 and CVE-2021-1675), Microsoft said the use of GooseEgg in Forest Blizzard operations is a “unique discovery that had not been previously reported by security providers”.
Why is Microsoft concerned about Forest Blizzard?
Forest Blizzard, otherwise known as APT28, Sednit, Sofacy, and Fancy Bear, is most probably linked to Russia’s GRU military intelligence.
It mainly targets government, energy, transportation, and other organizations across the US, Europe, and the Middle East, but has also attacked media, tech, sports organizations, and academic institutions.
Since at least 2010, its main mission has apparently been to collect intelligence in support of Russian government foreign policy initiatives. The group should not be confused with Midnight Blizzard – aka Nobelium or APT29 – who are believed to have attacked Microsoft’s systems in January. That group is said to be linked to Russia’s SVR foreign intelligence service.
ATP28 has been linked with a number of attacks across the last decade and longer, including on the US Democratic National Committee (DNC) and the International Olympic Committee (IOC).
RELATED WHITEPAPER
In January this year, the US Department of Justice disrupted a network of hundreds of small office/home office routers that the Forest Blizzard group had been using. The botnet had been used as part of a vast spear-phishing campaign against US and foreign governments as well as military, security, and corporate targets.
Microsoft analysis shows Forest Blizzard often uses other publicly available exploits in addition to CVE-2022-38028, such as CVE-2023-23397, which it used to gain secret, unauthorized access to email accounts within Exchange servers.
“Forest Blizzard continually refines its footprint by employing new custom techniques and malware, suggesting that it is a well-resourced and well-trained group posing long-term challenges to attribution and tracking its activities,” Microsoft said late last year.
What can you do to protect against GooseEgg?
Microsoft said organizations should apply the security update to mitigate the threat, and attempt to reduce their exposure to print spooler vulnerabilities.
Microsoft released a security update for the Print Spooler vulnerability exploited by GooseEgg on October 11, 2022, and updates for PrintNightmare vulnerabilities in June and July last year.
It urged companies that have not implemented these fixes yet to do so as soon as possible to mitigate the risk of compromise.
Beyond this it said that, since the Print Spooler service isn’t required for domain controller operations, it recommends disabling the service on domain controllers.
“Otherwise, users can install available Windows security updates for Print Spooler vulnerabilities on Windows domain controllers before member servers and workstations,” Microsoft said.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptakeNews Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to knowNews A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Microsoft is increasing payouts for its Copilot bug bounty programNews Microsoft has expanded the bug bounty program for its Copilot lineup, boosting payouts and adding coverage of WhatsApp and Telegram tools.
-
Hackers are using this new phishing technique to bypass MFA
News Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass MFA and steal access tokens.
-
A new phishing campaign is exploiting Microsoft’s legacy ADFS identity solution to steal credentials and bypass MFANews Researchers at Abnormal Security have warned of a new phishing campaign targeting Microsoft's Active Directory Federation Services (ADFS) secure access system.
-
Hackers are using Microsoft Teams to conduct “email bombing” attacksNews Experts told ITPro that tactics like this are on the rise, and employees must be trained effectively
-
Microsoft files suit against threat actors abusing AI services
News Cyber criminals are accused of using stolen credentials for an illegal hacking as a service operation
