Russia-Linked Hackers Exploit Windows Zero-Day, Deploy “GooseEgg” to Hijack Networks

GooseEgg

Microsoft has exposed a sophisticated new tool in the arsenal of the Russian state-backed hacking group “Forest Blizzard.” Dubbed “GooseEgg,” this tool allows attackers to gain deep access to compromised systems, making them a serious threat to Western governments and strategic organizations.

GooseEgg

Since as early as April 2019, Forest Blizzard has leveraged GooseEgg to exploit a critical vulnerability in the Windows Print Spooler service, identified as CVE-2022-38028. This vulnerability allows unauthorized privilege elevation by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions. The simplicity of GooseEgg belies its potential for havoc, as it can spawn applications with elevated privileges, facilitating further malicious activities such as remote code execution, the installation of backdoors, and lateral movement across compromised networks.

Forest Blizzard, also known by names like APT28 and Fancy Bear, is a hacking group linked to the GRU, Russia’s military intelligence agency. They are notorious for intelligence gathering operations, primarily focused on government, energy, and transportation targets in the US, Europe, and the Middle East.

Forest Blizzard employs both unique and publicly available exploits to maintain persistence within compromised networks. The use of GooseEgg, however, sets them apart from other GRU-affiliated groups which often engage in more destructive cyber attacks. This tool has been part of a series of sophisticated cyber operations that utilize deceptive methods to conceal their tracks effectively.

For instance, once access is gained, GooseEgg is executed through scripts like ‘execute.bat’ or ‘doit.bat,’ which set up further persistence mechanisms and facilitate privilege escalation. The binary associated with GooseEgg, appearing under innocuous names like ‘justice.exe’ or ‘DefragmentSrv.exe,’ can perform actions that seem trivial but are, in fact, part of a complex exploitation process.

In response to these findings, Microsoft has issued patches for CVE-2022-38028 and the previously exploited PrintNightmare vulnerabilities. In addition to applying these security updates, Microsoft recommends disabling the Print Spooler service on domain controllers where it is not necessary for operations, thereby reducing the attack surface.