Russia’s Fancy Bear crushes Windows Print Spooler Bug

TLDR:

• Russian APT group Fancy Bear using custom tool GooseEgg to exploit Windows Print Spooler bug.
• The group has been targeting organizations in Ukraine, Western Europe, and North America.

A well-known Russian APT group Fancy Bear has been using a custom tool called GooseEgg to exploit a bug in the Windows Print Spooler service. The tool exploits CVE-2022-38028 vulnerability in the service to elevate privileges and steal credentials in cyber-espionage attacks against targets primarily in Ukraine, Western Europe, and North America. Microsoft patched the flaw in October 2022, but Fancy Bear continues to deploy GooseEgg in attacks, modifying JavaScript constraints file and executing it with SYSTEM-level permissions. The group has a history of targeting vulnerabilities in Microsoft products, and organizations are advised to apply patches and mitigate the threat by disabling the Print Spooler service domain controller operations.

Full Article:

The article discusses how the Russian threat actor Fancy Bear, also known as APT28, has been utilizing a custom tool called GooseEgg to exploit a longstanding bug in the Windows Print Spooler service. This tool allows the group to elevate privileges and steal credentials in intelligence-gathering attacks across Ukraine, Western Europe, and North America. Microsoft identified the exploitation of CVE-2022-38028 and recommended applying security updates to mitigate the threat. Additionally, the Microsoft Defender Antivirus detects the specific capability as HackTool:Win64/GooseEgg.

GooseEgg has been deployed by Fancy Bear since at least June 2020, allowing the threat actors to perform various malicious activities such as remote code execution, installing backdoors, and moving laterally through compromised networks. By exploiting the Print Spooler flaw, the group can redirect the service to actor-controlled directories, ultimately gaining SYSTEM permissions for executing malicious code.

Furthermore, the article highlights the importance of organizations applying patches for vulnerable products targeted by Fancy Bear. Vulnerabilities in IT environments, such as printer bugs, pose significant challenges for security teams due to under-inventoried assets. To safeguard against cyber-espionage attacks, organizations are advised to maintain updated inventories and address environmental vulnerabilities that could be exploited by malicious actors.