April 23, 2024 at 01:27AM
APT28, also known as Fancy Bear and Forest Blizzard, perpetrated cyber attacks using GooseEgg malware exploiting a Windows Print Spooler flaw, targeting organizations in Ukraine, Western Europe, and North America. The group, affiliated with Russia’s military intelligence agency, has a history of using public exploits for intelligence gathering. IBM X-Force also reported phishing attacks by the Gamaredon actor.
Key takeaways from the meeting notes:
1. The Russia-linked threat actor APT28, also known as Fancy Bear or Forest Blizzard, utilized a previously unknown custom malware named GooseEgg, exploiting a security flaw in the Windows Print Spooler component (CVE-2022-38028) for privilege escalation.
2. Microsoft released updates in October 2022 to address the flaw, with credit to the U.S. NSA for reporting it. APT28 targeted Ukrainian, Western European, and North American organizations in government, non-governmental, education, and transportation sectors.
3. The GooseEgg malware, deployed by Forest Blizzard, allows for spawning other applications with elevated permissions, enabling activities such as remote code execution, backdoor installation, and lateral movement in compromised networks.
4. Forest Blizzard is associated with Unit 26165 of the Russian Federation’s GRU and primarily focuses on intelligence collection to support Russian government foreign policy initiatives.
5. APT28 has also exploited privilege escalation flaws in Microsoft Outlook (CVE-2023-23397) and a code execution bug in WinRAR (CVE-2023-38831), demonstrating their ability to swiftly adopt public exploits into their operations.
6. IBM X-Force revealed new phishing attacks by the Gamaredon actor, delivering iterations of the GammaLoad malware, including VBS-based backdoors, Base64-encoded VBS payloads, .EXE payloads, and PowerShell-based backdoors.
7. Hive0051, associated with Gamaredon, exhibits consistent fielding of new tools and methods for delivery through synchronized DNS fluxing across multiple channels, indicating an escalation in actor resources and capability for ongoing operations.
Let me know if you require further details or if there’s anything else I can assist you with.