Microsoft Threat Intelligence researchers have issued a warning that Russian state-sponsored hackers associated with APT28, also known as Fancy Bear, have been targeting Windows users with a custom tool called GooseEgg. This tool is being used to steal credentials and install backdoors in government, education, and transport sector organizations in the U.S., Western Europe, and Ukraine. APT28, identified as Forest Blizzard by Microsoft, has been using GooseEgg since at least June 2020 and possibly as early as April 2019.
GooseEgg exploits an unpatched vulnerability in the Windows Print Spooler service, specifically CVE-2022-38028, which was fixed in October 2022. This vulnerability allows attackers to execute malicious code with SYSTEM-level permissions, leading to various malicious activities such as remote code execution, installing backdoors, and moving laterally through compromised networks. Microsoft Defender Antivirus detects GooseEgg as HackTool:Win64/GooseEgg and recommends organizations and users to apply the CVE-2022-38028 security update to mitigate this attack.
In addition to targeting the Windows Print Spooler vulnerability, APT28 has been known to exploit other vulnerabilities such as PrintNightmare and CVE-2017-8570 in Microsoft Office. In one instance analyzed by threat intelligence researcher Ivan Kosarev, attackers used a malicious PowerPoint Slideshow document, disguised as a U.S. Army instruction manual, to execute arbitrary code and drop a cracked version of the Cobalt Strike Beacon tool. This tool, often used by Red Teams for penetration testing, could potentially allow attackers to elevate user privileges, steal sensitive data, and further distribute themselves across compromised networks.
This active cyber-espionage campaign underscores the importance of patching vulnerabilities promptly to reduce the risk of such attacks. Microsoft urges organizations and users to apply security updates for known vulnerabilities targeted by APT28, including CVE-2022-38028, CVE-2023-23397, CVE-2021-34527, and CVE-2021-1675. By staying updated with security patches and being vigilant against potential threats, users can reduce the likelihood of falling victim to sophisticated cyber attacks by state-sponsored hackers such as APT28.
The use of advanced tools like GooseEgg by APT28 demonstrates the evolving tactics employed by threat actors to infiltrate and compromise systems for espionage purposes. The report from Microsoft Threat Intelligence sheds light on the capabilities of this tool and the extent of damage it can cause if left unchecked. By raising awareness about the implications of such attacks and providing guidance on mitigation measures, organizations and individuals can better protect themselves against potential threats and safeguard their sensitive information from unauthorized access.
As security researchers continue to uncover new vulnerabilities exploited by threat actors, it is essential for users to stay informed about emerging threats and take proactive steps to secure their systems. By following best practices for cybersecurity, including regular software updates, strong password management, and awareness of social engineering tactics, individuals and organizations can bolster their defenses against malicious actors seeking to exploit vulnerabilities for malicious intents. The collaboration between the security community and industry stakeholders is crucial in combating cyber threats and safeguarding the digital landscape from potential harm.
