A notorious Russian APT group has been stealing credentials for years by exploiting a Windows Print Spooler bug and using a novel post-compromise tool known as “GooseEgg,” Microsoft has revealed.
APT28 (aka Strontium, Forest Blizzard) has been using GooseEgg since potentially as far back as April 2019 to exploit CVE-2022-38028, Microsoft said in a new report published yesterday.
CVE-2022-38028 was reported to Microsoft by the NSA and patched in October 2022. GooseEgg is used to modify a JavaScript constraints file and execute it with system-level permissions, enabling the threat actors to steal credentials and information from targeted networks.
“While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks,” the report noted.
Read more on APT28: Russian APT28 Exploits Outlook Bug to Access Exchange
APT28 has been linked by British and US intelligence to the Russian General Staff Main Intelligence Directorate (GRU), and usually focuses on cyber-espionage rather than destructive attacks.
Its targets in this campaign include Ukrainian, Western European and North American government, non-governmental, education and transportation sector organizations, according to Microsoft.
“Although Russian threat actors are known to have exploited a set of similar vulnerabilities known as PrintNightmare (CVE-2021-34527 and CVE-2021-1675), the use of GooseEgg in Forest Blizzard operations is a unique discovery that had not been previously reported by security providers,” the report claimed.
Sysadmins are urged to patch CVE-2022-38028 and/or disable Print Spooler on domain controllers. It also suggested running EDR or XDR tooling to detect GooseEgg. Microsoft Defender Antivirus detects it as HackTool:Win64/GooseEgg.
The report warned that APT28’s TTPs and infrastructure related to GooseEgg could change at any time.