Microsoft Threat Intelligence researchers have issued a warning about Russian state-sponsored hackers targeting Windows users with a custom tool to steal credentials and install backdoors. The hackers, known as APT28 or Fancy Bear and tracked by Microsoft as Forest Blizzard, are affiliated with Russia’s GRU military intelligence agency.
Forest Blizzard/APT28 has been using a post-exploitation tool called GooseEgg against government, education, and transport sector organizations in the U.S., Western Europe, and Ukraine. This group primarily focuses on strategic intelligence targets and has been utilizing GooseEgg since at least June 2020.
GooseEgg exploits a patched vulnerability in the Windows Print Spooler service, known as CVE-2022-38028, which was fixed in October 2022. The tool allows threat actors to execute commands with elevated permissions, enabling activities such as remote code execution and lateral movement within compromised networks.
Microsoft emphasizes the importance of promptly patching vulnerabilities like CVE-2022-38028 to mitigate such attacks. GooseEgg can also be used alongside exploits for vulnerabilities like PrintNightmare and others targeted by APT28, including CVE-2023-23397, CVE-2021-34527, and CVE-2021-1675.
Organizations and users are urged to apply the security update for CVE-2022-38028 and utilize Microsoft Defender Antivirus to detect the Forest Blizzard capability as HackTool:Win64/GooseEgg.