Researchers at Microsoft Threat Intelligence have issued a warning that Russian state-sponsored hackers have been targeting Windows users with a custom tool used to steal credentials and install backdoors. These hackers, known as APT28 or Fancy Bear and tracked by Microsoft as Forest Blizzard, are associated with Russia’s GRU military intelligence agency. The hackers have been using a post-exploitation tool called GooseEgg against government, education, and transport sector organizations in the U.S., Western Europe, and Ukraine. Microsoft believes APT28 has been using GooseEgg since at least June 2020 and possibly even earlier.
GooseEgg exploits an unpatched vulnerability in the Windows Print Spooler service, which was fixed as part of the October 2022 Patch Tuesday rollout. The tool allows attackers to modify a JavaScript file and execute it with SYSTEM-level permissions, spawning other applications specified at the command line with elevated permissions. This enables threat actors to support follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks. The extent of damage that GooseEgg can cause is significant, highlighting the dangers posed by the APT28 hackers.
Microsoft urges organizations and users to apply the CVE-2022-38028 security update to mitigate the GooseEgg attack, noting that Microsoft Defender Antivirus detects the specific Forest Blizzard capability as HackTool:Win64/GooseEgg. In addition to the Windows Print Spooler vulnerability, GooseEgg can also be used alongside exploits for other vulnerabilities such as PrintNightmare and CVE-2023-23397, CVE-2021-34527, and CVE-2021-1675. Patching vulnerabilities as soon as possible is critical in preventing cyber-espionage campaigns by state-sponsored hackers like APT28.
Further developments in the attacks by state-sponsored hackers include the exploitation of an old Microsoft Office vulnerability cataloged as CVE-2017-8570. This vulnerability allows attackers to execute arbitrary code and was hidden in a malicious PowerPoint Slideshow document pretending to be a U.S. Army mine-clearance instruction manual. The analysis of the attacks suggests that military personnel may be the target, as the compromised PowerPoint file was uploaded from Ukraine and the next stage of the attack took place on a site hosted in Russia. The ultimate payload of the attack drops a cracked version of the legitimate Cobalt Strike Beacon professional penetration testing tool, giving attackers the ability to elevate user privileges, steal data, and spread further across the compromised network.
These recent cyber-espionage campaigns underscore the importance of maintaining strong cybersecurity measures and promptly patching vulnerabilities to protect against sophisticated attacks by state-sponsored hackers. Microsoft continues to monitor the activities of threat actors like APT28 and provide updates on security vulnerabilities to help organizations and users defend against such threats. As the methods and tools used by hackers evolve, it is crucial for individuals and businesses to stay vigilant and implement security best practices to safeguard their systems and sensitive information from unauthorized access and cyber threats.
