Researchers at Microsoft have unmasked a malicious tool used by a state-backed Russian hacking group to steal credentials in compromised networks. The malware, named GooseEgg, exploits the CVE-2022-38028 vulnerability in Windows Print Spooler service, which temporarily stores printing jobs in a computer’s memory until they are ready to be printed, Microsoft reported in a blogpost.
GooseEgg appears to be linked exclusively to a group called Forest Blizzard. The group is part of Military Unit 26165 belonging to Russia’s Main Intelligence Directorate of the General Staff (GRU).
Forest Blizard is known to target strategic intelligence assets including government, energy, transportation and nongovernmental organisations across Europe, the US and the Middle East, and has also targeted various sectors including media, IT, sports and education, according to Microsoft’s observations.
“The use of GooseEgg in Forest Blizzard operations is a unique discovery that had not been previously reported by security providers,” researchers said.
Microsoft says GooseEgg malware has been deployed since June 2020
According to Microsoft, Forest Blizzard, also known as Fancy Bear and APT28, has been deploying the malicious malware since June 2020 against state, nongovernmental, education and transportation organisations in Ukraine, Western Europe and North America. Since at least 2010, the group’s primary aim has been to collect intelligence in support of Russian government foreign policy initiatives, said Microsoft.
The security flaw in the Print Spooler software was patched by Microsoft in 2022, meaning the GooseEgg malware should not impact those who regularly update their systems. “Customers who have not implemented these fixes yet are urged to do so as soon as possible for their organisation’s security,” Microsoft said.
The Microsoft Threat Intelligence unit reported that Forest Blizzard utilises GooseEgg, a simple launcher application, to run other tools with extended rights within the network once it has successfully infiltrated a targeted device. It enables hackers to access other capabilities such as remote code execution, installing a backdoor, and moving through compromised networks laterally.
Microsoft recommended that impacted customers follow the company’s credential hardening recommendations, run endpoint detection and response (EDR) in block mode so Microsoft Defender can block malicious artefacts, configure investigation and remediation in full automated mode to prompt immediate action from Endpoint on alerts to resolve breaches, and turn on cloud-delivered protection in Microsoft Defender Antivirus, or an equivalent.
Microsoft’s latest run-in with the Russian state-backed hacker group
This is not the first time Microsoft has faced a run-in with Forest Blizzard. The group also exploits other vulnerabilities, such as CVE-2023-23397, affecting all versions of Microsoft Outlook software on Windows devices. In December last year, Microsoft had warned that the same Russia-backed hackers had been exploiting a flaw with Outlook to gain unauthorised access to email accounts in Microsoft Exchange servers since April 2022. In summer 2023, it was also reported that the group had been targeting Ukrainian government organisations with malware hidden in emails detailing a fake Windows update.
This marks the latest in a series of cyber issues for Microsoft. The tech giant recently drew criticism from US government officials following a “preventable” cyberattack which saw a “cascade of Microsoft’s avoidable errors” enabling Chinese government-backed cyber operators to hack into the email accounts of senior US officials.
Read more: Russian hackers stole US federal correspondences through Microsoft breach
