Microsoft has issued a warning about the Russian threat group APT28, also known as Fancy Bear, utilizing a new hacking tool named GooseEgg to exploit a vulnerability in the Windows Print Spooler. The group has been using this tool since at least June 2020 to steal credentials and data.
Although Microsoft released a fix for the vulnerability in October 2022, it has not been labeled as actively exploited in their advisory. APT28, associated with Russia’s GRU, uses GooseEgg to deploy malicious payloads and run commands with SYSTEM-level privileges.
The attackers drop GooseEgg as a Windows batch script and an embedded malicious DLL file to gain persistence on compromised systems. Microsoft has observed APT28 leveraging GooseEgg in post-compromise activities against various organizations in government, non-governmental, education, and transportation sectors.
This threat group has a history of high-profile cyberattacks, such as exploiting a Cisco router zero-day vulnerability and using hacked Ubiquiti EdgeRouters to avoid detection in attacks. APT28 was responsible for breaching the German Federal Parliament, hacking the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) during the 2016 U.S. Presidential Election.
As a result of their activities, the U.S. has charged APT28 members and the Council of the European Union has sanctioned them for their involvement in these attacks. This latest warning from Microsoft serves as a reminder of the ongoing threat posed by sophisticated hacking groups like APT28 and the importance of remaining vigilant against cyber threats.
“Travel aficionado. Incurable bacon specialist. Tv evangelist. Wannabe internet enthusiast. Typical creator.”