Forest Blizzard or APT28(STRONTIUM) abuses a Windows Print Spooler vulnerability, says Microsoft

The company recommends applying the security update released for the vulnerability

5 min. read

Published onApril 24, 2024

published onApril 24, 2024

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

Recently, Microsoft has warned that the Russian APT28 hackers group is exploiting a Windows Print Spooler vulnerability. This abuse includes elevating privileges and stealing credentials & data using a hacking tool, GooseEgg.

Microsoft mentioned in the report that:

Since at least June 2020 and possibly as early as April 2019, Forest Blizzard(APT28) has used the tool, which we refer to as GooseEgg, to exploit theCVE-2022-38028vulnerability in Windows Print Spooler service by modifying aJavaScript constraints fileand executing it with SYSTEM-level permissions.

How does this work?

Microsoft also said that they noticed Forest Blizzard using GooseEgg as a part of its post-compromise activities. They target a range of organizations, including governmental and non-governmental entities, educational institutions, and transportation sector organizations in Western Europe, Ukraine, and North America.

GooseEgg appears to be a simple launcher app; however, it has the capacity to initiate other apps as specified through the command line with elevated rights. This empowers threat actors to facilitate several follow-on objectives, including deploying a backdoor, remote code execution, and traversing an infected network laterally.

Forest Blizzard (APT28), previously known as STRONTIUM, which is associated with the Russian General Staff Main Intelligence Directorate (GRU) by both the United Kingdom and United States governments, mainly targets strategic intelligence objectives.

Moreover, it differs from other GRU-affiliated groups, Seashell Blizzard (IRIDIUM) and Cadet Blizzard (DEV-0586), and its focus is on collecting strategic intelligence.

The US National Security Agency informed the company about this flaw, and the Redmond tech giant fixed the flaw during the Microsoft October 2022 Patch Tuesday. However, Microsoft has not confirmed any instances of it being actively exploited in thesecurity update guide.

Microsoft is committed to informing about detected malware activities and is keen on sharing insights on threat actors to help organizations protect themselves from these threats.

To prevent your organization from being a victim, you must apply the CVE-2022-38028 security update. Also, Microsoft Defender Antivirus identifiesthe specific Forest Blizzard capability as HackTool: Win64/GooseEgg.If you want to learn more about Forest Blizzard and GooseEgg, you can read theofficial security blog by Microsoft.

Apart from applying the patch, here are some other recommendations suggested by Microsoft in the security blog:

Reduce the Print Spooler vulnerability

Microsoft released a security update for the Print Spooler vulnerability exploited by GooseEgg onOctober 11, 2022and updates for PrintNightmare vulnerabilities onJune 8, 2021andJuly 1, 2021. Customers who have not implemented these fixes yet are urged to do so as soon as possible for their organization’s security. In addition, since the Print Spooler service isn’t required for domain controller operations, Microsoft recommends disabling the service on domain controllers. Otherwise, users can install available Windows security updates for Print Spooler vulnerabilities on Windows domain controllers before member servers and workstations. To help identify domain controllers that have the Print Spooler service enabled, Microsoft Defender for Identity has abuilt-in security assessmentthat tracks the availability of Print Spooler services on domain controllers.

Be proactively defensive

Microsoft Defender XDR customers can turn on the followingattack surface reduction ruleto prevent common attack techniques used for GooseEgg. Microsoft Defender XDR detects the GooseEgg tool and raises an alert upon detection of attempts to exploit Print Spooler vulnerabilities regardless of whether the device has been patched.

As mentioned earlier, if you suspect that your system is compromised, you can run Microsoft Defender Antivirus, which can detect threat components such as HackTool: Win64/GooseEgg.

Microsoft Defender for Endpoint and Microsoft Defender for Identity can also alert you to indicate threat activity related to this Forest Blizzard, which includes CVE-2021-34527 exploitation, spoolsv.exe’s suspicious behavior, and suspected elevation of rights through print filter pipeline service.

To conclude, organizations are advised to stay vigilant and implement the security measures mentioned by Microsoft to avoid falling into a trap by such threat actors.

What do you think about this attack? Share your opinions with our readers in the comments section below.

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low#

Copilot in Outlook will generate personalized themes for you to customize the app#

Microsoft will raise the price of its 365 Suite to include AI capabilities#

Death Stranding Director’s Cut is now Xbox X|S at a huge discount#

Outlook will let users create custom account icons so they can tell their accounts apart easier#

Forest Blizzard or APT28(STRONTIUM) abuses a Windows Print Spooler vulnerability, says Microsoft#

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Forest Blizzard or APT28(STRONTIUM) abuses a Windows Print Spooler vulnerability, says Microsoft