Microsoft has disclosed that the Russian cyber espionage group, known as APT28 or Fancy Bear, has been exploiting a vulnerability in the Windows Print Spooler service, which previously was responsible for the PrintNightmare security issue. The group, which operates under the Russian military unit 26165 of the GRU, has utilized a previously unknown tool dubbed GooseEgg to escalate privileges, steal credentials, and exfiltrate data. The vulnerability, identified as CVE-2022-38028, has been under attack by APT28 since at least June 2020, with potential activities tracing back to April 2019. Microsoft addressed this security flaw in their October 2022 Patch Tuesday updates, following a report from the U.S. National Security Agency.
The Mechanics of the Attack
APT28’s deployment of GooseEgg involves the execution of a Windows batch script, either named ‘execute.bat’ or ‘doit.bat’, which then launches the GooseEgg executable. This action facilitates the attackers’ ability to maintain persistence on the compromised system through a scheduled task named ‘servtask.bat’. Additionally, GooseEgg is used to inject a malicious DLL, occasionally referred to as ‘wayzgoose23.dll’, into the PrintSpooler service with SYSTEM permissions. This DLL functions as an app launcher, capable of executing further payloads with elevated privileges, thereby enabling the attackers to install backdoors, navigate through victims’ networks, and execute remote code on the affected systems.
Historical Context and Implications
APT28 has a notorious history of engaging in high-profile cyberattacks. Notably, the group exploited a Cisco router zero-day to deploy Jaguar Tooth malware, targeting sensitive information within the U.S. and EU. Furthermore, APT28 was implicated in the breaches of the German Federal Parliament, the Democratic Congressional Campaign Committee (DCCC), and the Democratic National Committee (DNC) ahead of the 2016 U.S. Presidential Election. The U.S. and the Council of the European Union have taken legal actions against members of APT28, underscoring the significant threat this group poses to global cybersecurity.
Last Updated on November 7, 2024 8:53 pm CET