Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management
Russian Hackers Exploiting Windows Print Spooler Vuln
Microsoft Warns APT28's GooseEgg Tool Enables Credential TheftRussian military intelligence hackers are using an 18 month-old vulnerability in the Windows print spooler utility to deploy a custom tool that elevates privileges and steals credentials.
See Also: Securing Your Workforce with Datto RMM: Automating Patching, Hardening, and Backups
Microsoft on Monday disclosed that APT28, also known as Fancy Bear and Forest Blizzard, is using a new hacking tool dubbed GooseEgg.
"While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions," Microsoft wrote. That allows Russian General Staff Main Intelligence Directorate hackers "to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks."
The Russian state hacking group - its Russian designation is Unit 26165 of the 85th Main Special Services Center within the intelligence directorate, better known as the GRU - is behind many spear-phishing campaigns against Ukraine, U.S. and U.K. authorities. It differs from other GRU groups by focusing primarily on strategic intelligence gathering rather than destructive attacks.
Microsoft says it observed post-compromise activities including GooseEgg deployment primarily against Ukrainian, Western European and North American government agencies, as well as non-governmental organizations, educational institutions and transportation sector organizations.
Forest Blizzard has used GooseEgg since at least June 2020, but it found a new pathway into Windows with the discovery by the National Security Agency of a flaw allowing attackers to gain system privileges and its October 2022 patching by Microsoft. Tracked as CVE-2022-38028, the flaw allows attackers to modify a JavaScript constraints file and execute it with system-level permissions.
GooseEgg operates stealthily within compromised systems. It typically deploys alongside batch scripts, such as execute.bat
or doit.bat
, which set up persistence. The GooseEgg binary appears with names including justice.exe
or DefragmentSrv.exe
. It gets its name from an embedded malicious dynamic link library file that typically includes the phrase "wayzgoose" - for example wayzgoose23.dll
.
A crucial component of GooseEgg's operation is the manipulation of the MPDW-constraints.js
file so when the PrintSpooler attempts to load it, the operating system instead calls a threat-actor controlled file directory.
Forest Blizzard often uses publicly available exploits, such as CVE-2023-23397, a Microsoft Office Outlook privilege escalation vulnerability.