Washington, D.C. – A Russia-linked nation-state threat actor known as APT28 has been identified for exploiting a security flaw in Microsoft’s Windows Print Spooler component. This exploitation allowed the delivery of a new custom malware named GooseEgg. The flaw, CVE-2022-38028 with a CVSS score of 7.8, was utilized by APT28 to escalate privileges, as confirmed by Microsoft in their October 2022 updates with credit to the U.S. National Security Agency for reporting the flaw.
Fancy Bear, also known as APT28, Forest Blizzard, and formerly Strontium, utilized the bug to target organizations in Ukraine, Western Europe, and North America across various sectors including government, non-governmental, education, and transportation. Forest Blizzard, affiliated with Unit 26165 of the GRU, Russia’s military intelligence agency, has been engaging in hacking activities to support Russian government foreign policy initiatives for nearly 15 years.
APT28’s deployment of GooseEgg aims to gain elevated access to systems, stealing credentials and information to further their objectives. This post-compromise tool, capable of spawning applications with elevated permissions, allows threat actors to execute various malicious activities such as remote code execution, installing backdoors, and lateral network movement.
In addition to exploiting the Windows Print Spooler flaw, APT28 hackers have been reported to utilize other vulnerabilities, such as a privilege escalation flaw in Microsoft Outlook (CVE-2023-23397) and a code execution bug in WinRAR (CVE-2023-38831). This indicates their agility in adopting public exploits to enhance their malicious operations.
IBM X-Force recently disclosed new phishing attacks orchestrated by the Gamaredon actor, targeting Ukraine and Poland with iterations of the GammaLoad malware. GammaLoad.VBS, GammaStager, GammaLoadPlus, GammaInstall, GammaLoad.PS, GammaLoadLight.PS, GammaInfo, and GammaSteel are different components used in these attacks, showcasing the actor’s evolving tactics in launching sophisticated cyber operations.
In response to the escalating cyber threats, organizations are urged to remain vigilant and enhance their cybersecurity measures to mitigate the risks posed by advanced threat actors like APT28 and Gamaredon. The continuous evolution of malware and exploitation techniques underscores the importance of proactive cybersecurity strategies to safeguard critical systems and data from malicious actors.