April 23, 2024 at 10:13AM
APT28, a Russia-linked cyberespionage group, utilized Windows Print Spooler vulnerabilities to deploy GooseEgg, a custom post-exploitation tool targeting organizations in the US, Ukraine, and Western Europe. The tool can grant attackers elevated privileges, enabling activities such as remote code execution and backdoor deployment. Microsoft advises applying security updates and disabling the Print Spooler service on domain controllers.
From the meeting notes, it is clear that the Russia-linked cyberespionage group APT28 has been observed exploiting Windows Print Spooler vulnerabilities to deploy a custom post-exploitation tool called GooseEgg. This tool provides the attackers with capabilities such as remote code execution, backdoor deployment, and lateral movement. APT28, also known as Forest Blizzard, has targeted numerous organizations in the US, Ukraine, and Western Europe, including government, non-governmental, education, and transportation organizations.
To deliver GooseEgg, APT28 has exploited known vulnerabilities such as CVE-2022-38028, CVE-2023-23397, CVE-2021-34527, and CVE-2021-1675 (known as PrintNightmare). The company urges customers to apply security updates for the vulnerabilities and also recommends disabling the Print Spooler service on domain controllers, as it is not required for domain controller operations.
Microsoft has released indicators of compromise (IOCs) associated with the observed attacks and provided additional resources to help organizations hunt for potential GooseEgg infections. APT28, believed to be linked to the Russian General Staff Main Intelligence Directorate (GRU), is known for targeting organizations in the US, Europe, and the Middle East for intelligence gathering.
Furthermore, it is noted that APT28 goes by various aliases, including APT-C-20, ATK5, Blue Athena, Fancy Bear, FrozenLake, Fighting Ursa, and others. Related incidents include FBI dismantling a Ubiquiti router botnet controlled by Russian cyberspies, Russian APT using zero-click Outlook exploit, and Russia exploiting old vulnerabilities to hack Cisco routers.