April 22, 2024 at 09:21PM
Russian spies have leveraged a Windows print spooler vulnerability to deploy GooseEgg, a custom tool, for stealing credentials and elevating privileges in compromised networks. Microsoft’s threat intelligence team revealed exploitation involving the Forest Blizzard group, linked to Russian intelligence. Microsoft patched the vulnerability in October 2022 and provided recommendations for mitigation.
Based on the meeting notes, it’s clear that Russian spies have been exploiting a years-old Windows print spooler vulnerability using a custom tool called GooseEgg to elevate privileges and steal credentials across compromised networks. Microsoft Threat Intelligence has identified Forest Blizzard (aka Fancy Bear) as the cyber espionage crew responsible for this activity and linked them to the Russian General Staff Main Intelligence Directorate (GRU). The spies have been targeting Ukrainian, Western European, and North American government, non-government, education, and transportation sectors using GooseEgg.
Microsoft has patched the CVE-2022-38028 vulnerability in October 2022, and it is crucial for all organizations to ensure they have applied this patch. It is also recommended to disable print spooler on domain controllers as it is not required for domain controller operations. Additionally, organizations should ensure they have applied earlier fixes for PrintNightmare that Microsoft issued on June 8, 2021 and July 1, 2021.
For further details, it is important to review the full list of threat hunting queries and indicators of compromise provided in the Monday alert from Microsoft. This is a critical step in protecting our networks and preventing further exploitation by these malicious actors.