Microsoft announces Russian hackers are exploiting a vulnerability in Windows' print spooler
Microsoft Threat Intelligence researchers have issued a warning that Russian state-sponsored hackers are targeting Windows users with custom tools used to steal credentials and even install backdoors. .
Updated on 04/28 below. This article was originally published on April 26th.
APT28 Fancy Bear Hacker Is Behind Newly Reported Windows Attack
The hacker, commonly identified as APT28 or Fancy Bear, is tracked by Microsoft as Forest Blizzard and is affiliated with military unit 26165, part of Russia's GRU military intelligence agency. is known.
Microsoft said it has observed Forest Blizzard/APT 28 using a post-exploitation tool called GooseEgg against organizations in the government, education, and transportation sectors in the United States, Western Europe, and Ukraine. “Forest Blizzard is primarily focused on strategic intelligence objectives,” Microsoft said. APT28 has been using GooseEgg since at least June 2020, and possibly as early as April 2019, according to Microsoft intelligence analysts.
Unpatched Windows vulnerabilities lay golden eggs for exploitation
At its core, GooseEgg appears to be a relatively simple launcher application, but it actually fell into the hands of attackers exploiting a long-patched vulnerability in the Windows Print Spooler service. It's a very dangerous tool. The vulnerability in question, CVE-2022-38028, was first reported by the National Security Agency and fixed as part of the October 2022 Patch Tuesday rollout. According to Microsoft, GooseEgg exploits unpatched vulnerabilities by “modifying JavaScript constraints files and executing with SYSTEM-level privileges.” The extent to which GooseEgg could help Russian hackers was revealed by a Microsoft Threat Intelligence report. “GooseEgg can spawn other applications specified on the command line with elevated permissions, allowing an attacker to support subsequent objectives such as remote attacks.” Code Execution , installing backdoors, and moving laterally through a compromised network. ”
How to mitigate GooseEgg attacks
This active cyber espionage campaign by state-sponsored hackers once again highlights the importance of patching vulnerabilities as soon as possible. In addition to the Windows Print Spooler vulnerability CVE-2022-38028, GooseEgg can also be used with the PrintNightmare exploit, which was first published in 2021. Additional vulnerabilities known to be targeted by APT28 hackers include CVE-2023-23397, CVE. -2021-34527 and CVE-2021-1675.
Microsoft is urging organizations and users to apply the CVE-2022-38028 security update to mitigate this attack. It is stated that Microsoft Defender Antivirus detects certain Forest Blizzard features as HackTool:Win64/GooseEgg.
Updated 04/28: Deep Instinct Threat Lab threat intelligence researcher Ivan Kosarev reported that an old Microsoft vulnerability is being exploited in attacks. The vulnerabilities in question are in Microsoft Office and are categorized as follows: CVE-2017-8570, Bypass to reach CVE-2017-0199 from 2017. In the attack analyzed by Kosarev, a malicious PowerPoint slideshow document appears to contain a vulnerability that allows the attacker to execute arbitrary code. When you read about a security issue if a user opens a specially crafted file, that's exactly what it says. The PowerPoint file in question purported to be a US Army demining instruction manual. A key reason becomes clear when we discover that the samples discovered and analyzed here were uploaded from Ukraine, and that the next stage of the compromise is taking place on a site hosted in Russia.
“Unless we have additional clues.” Kosarev said“It is difficult to understand the exact purpose of the attack.'' However, given the type of documents used as decoys, it is reasonable to assume that military personnel could be targeted. Especially since the final payload drops a cracked version of the genuine His Cobalt Strike Beacon professional penetration testing tool. Cobalt Strike is primarily used by red teams, and its gist allows them to use the same techniques as potential attackers. Cobalt Strike gives successful attackers the ability to escalate user privileges, steal sensitive data, and further distribute it across a compromised network.
