Microsoft has identified a tool used by Russian hackers in order to help them to install backdoors and move across compromised networks.
The tech giant said that since at least June 2020 - and maybe even as long ago as April 2019 - the Russian hacking group it calls ‘Forest Blizzard’ has used the tool to exploit a vulnerability in Windows Print Spooler service.
Microsoft said the tool, which it has dubbed ‘GooseEgg’, is being used against targets including governments, education institutions, and transport firms in Ukraine, Western European, and North America.
The tool exploits the CVE-2022-38028 flaw by modifying a JavaScript constraints file and executing it with system-level permissions. The flaw was patched by Microsoft in October last (it appears Microsoft was alerted to the flaw by the US National Security Agency).
Microsoft said that when deploying GooseEgg, attackers are trying to gain elevated access to target systems and steal credentials and information.
“While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks,” the security researchers said.
Although Russian-backed hackers have been known to exploited a set of similar vulnerabilities known as PrintNightmare (CVE-2021-34527 and CVE-2021-1675), Microsoft said the use of GooseEgg in Forest Blizzard operations is a “unique discovery that had not been previously reported by security providers”.
Why is Microsoft concerned about Forest Blizzard?
Forest Blizzard, otherwise known as APT28, Sednit, Sofacy, and Fancy Bear, is most probably linked to Russia’s GRU military intelligence.
It mainly targets government, energy, transportation, and other organizations across the US, Europe, and the Middle East, but has also attacked media, tech, sports organizations, and academic institutions.
Since at least 2010, its main mission has apparently been to collect intelligence in support of Russian government foreign policy initiatives. The group should not be confused with Midnight Blizzard – aka Nobelium or APT29 – who are believed to have attacked Microsoft’s systems in January. That group is said to be linked to Russia’s SVR foreign intelligence service.
ATP28 has been linked with a number of attacks across the last decade and longer, including on the US Democratic National Committee (DNC) and the International Olympic Committee (IOC).
In January this year, the US Department of Justice disrupted a network of hundreds of small office/home office routers that the Forest Blizzard group had been using. The botnet had been used as part of a vast spear-phishing campaign against US and foreign governments as well as military, security, and corporate targets.
Microsoft analysis shows Forest Blizzard often uses other publicly available exploits in addition to CVE-2022-38028, such as CVE-2023-23397, which it used to gain secret, unauthorized access to email accounts within Exchange servers.
“Forest Blizzard continually refines its footprint by employing new custom techniques and malware, suggesting that it is a well-resourced and well-trained group posing long-term challenges to attribution and tracking its activities,” Microsoft said late last year.
What can you do to protect against GooseEgg?
Microsoft said organizations should apply the security update to mitigate the threat, and attempt to reduce their exposure to print spooler vulnerabilities.
Microsoft released a security update for the Print Spooler vulnerability exploited by GooseEgg on October 11, 2022, and updates for PrintNightmare vulnerabilities in June and July last year.
It urged companies that have not implemented these fixes yet to do so as soon as possible to mitigate the risk of compromise.
Beyond this it said that, since the Print Spooler service isn’t required for domain controller operations, it recommends disabling the service on domain controllers.
“Otherwise, users can install available Windows security updates for Print Spooler vulnerabilities on Windows domain controllers before member servers and workstations,” Microsoft said.
