Russia’s Fancy Bear Pummels Windows Print Spooler Bug

Russia's Fancy Bear Pummels Windows Print Spooler Bug

April 23, 2024 at 09:27AM

A Russian APT group, Fancy Bear, has been using a tool called GooseEgg to exploit a vulnerability in the Windows Print Spooler service, enabling privileges elevation and credential theft in intelligence-gathering attacks globally. The group’s history includes targeting Microsoft product vulnerabilities for cyber-espionage, with significant recent activity in attacks against Ukraine. Microsoft has released a security update to mitigate the GooseEgg threat.

Here are the key takeaways from the meeting notes:

– A well-known Russian advanced persistent threat (APT) group, Fancy Bear, has been utilizing a custom tool called GooseEgg to exploit the CVE-2022-38028 vulnerability in the Windows Print Spooler service. This allows the group to elevate privileges and execute commands with SYSTEM-level permissions.

– Fancy Bear has been deploying GooseEgg in attacks against various government and nongovernmental organizations in Ukraine, Western Europe, and North America. The group has a history of attacking known vulnerabilities in Microsoft products for intelligence gathering purposes.

– Microsoft has recommended applying the CVE-2022-38028 security update to mitigate the GooseEgg threat against Windows Print Spooler. Additionally, Microsoft Defender Antivirus detects the specific Forest Blizzard capability as HackTool:Win64/GooseEgg.

– To further mitigate the threat, organizations can also disable the Windows Print Spooler service on domain controllers. Microsoft Defender for Identity has a built-in security assessment to track the availability of Print Spooler services on domain controllers.

– According to Greg Fitzgerald, co-founder at Sevco Security, printer bugs are challenging to remediate due to under-inventoried printers in IT environments, and organizations struggle to create an accurate IT asset inventory.

Let me know if you need further information or if there’s anything else I can assist you with.

Full Article