Researchers at Microsoft Threat Intelligence have issued a warning that Russian state-sponsored hackers have been targeting Windows users with a custom tool used to steal credentials and even install backdoors.
04/28 update below. This article was originally published on April 26.
APT28 Fancy Bear Hackers Behind Newly Reported Windows Attacks
The hackers, more commonly identified as APT28 or Fancy Bear but tracked by Microsoft as Forest Blizzard, are known to be affiliated with Military Unit 26165, which is part of Russia’s GRU military intelligence agency.
Microsoft said that it has seen Forest Blizzard/APT 28 using the post-exploitation tool, dubbed GooseEgg, against government, education and transport sector organizations in the U.S., Western Europe and Ukraine. “Forest Blizzard primarily focuses on strategic intelligence targets,” Microsoft said. It would appear, the Microsoft intelligence analysts said, that APT28 has been using GooseEgg since at least June 2020 and quite possibly as early as April 2019.
Unpatched Windows Vulnerabilities Lay A Golden Exploit Egg
What, in essence, appears to be a relatively simple launcher application, GooseEgg, is actually a very dangerous tool in the hands of attackers who are exploiting a long-since patched vulnerability in the Windows Print Spooler service. The vulnerability in question, CVE-2022-38028, was fixed as part of the October 2022 Patch Tuesday rollout, having been first reported by the National Security Agency. GooseEgg exploits an unpatched vulnerability by “modifying a JavaScript constraints file and executing it with SYSTEM-level permissions,” Microsoft said. The extent to which GooseEgg can aid the Russian hackers was laid bare by the Microsoft Threat Intelligence report: “GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks.”
How To Mitigate The GooseEgg Attacks
Once again, this active cyber-espionage campaign by state-sponsored hackers highlights the importance of patching vulnerabilities as soon as possible. In addition to the CVE-2022-38028 Windows Print Spooler vulnerability, GooseEgg can also be used alongside exploits for PrintNightmare, which was first disclosed in 2021. Additional vulnerabilities known to have been targeted by the APT28 hackers include CVE-2023-23397, CVE-2021-34527 and CVE-2021-1675.
Microsoft urges organizations and users to apply the CVE-2022-38028 security update to mitigate this attack. It notes that Microsoft Defender Antivirus detects the specific Forest Blizzard capability as HackTool:Win64/GooseEgg.
04/28 update: Ivan Kosarev, a threat intelligence researcher at the Deep Instinct Threat Lab, has reported yet another old Microsoft vulnerability being exploited in attacks. This time, the vulnerability is a Microsoft Office one cataloged as CVE-2017-8570, a bypass to get to CVE-2017-0199 from 2017. In the attacks analyzed by Kosarev, the vulnerability, which enables the attackers to execute arbitrary code, was seemingly wrapped up in a malicious PowerPoint Slideshow document. When you read of security issues that can be initiated by a user opening a specially crafted file, that’s what this is. The PowerPoint file in question was purporting to be a mine-clearance U.S. Army instruction manual. The reason that is important becomes clear when you realize the sample discovered and analyzed here was uploaded from Ukraine with the next stage of the compromise taking place on a site hosted in Russia.
“Without additional clues,” Kosarev said, “it’s hard to understand the exact purpose of the attack.” However, given the type of document used as bait, it’s a fair assumption that military personnel could be the target here. Especially as the ultimate payload is dropping a cracked version of the legitimate Cobalt Strike Beacon professional penetration testing tool. Mostly used by Red Teams whose brief allows them to use the same methods of potential attackers, Cobalt Strike would give a successful attacker the ability to elevate user privileges, steal sensitive data and distribute itself further across the compromised network.