Earlier this year, Microsoft revealed that a hacker group believed to be state-sponsored by Russia got access to the email accounts of some of the company"s top executives. Today, Microsoft says another Russian-based hacker organization has been discovered using an old exploit in a Windows tool to access networks around the world and steal information.
In a post on the Microsoft Security website, the company said that the group in question has been labeled as Forest Blizzard and has been active since at least 2010, going after networks, both government and non-government, in the US, Europe, and the Middle East.
This newly revealed effort by Forest Blizzard involves the group exploring an issue that was part of the Windows Print Spooler service. The official designation for this vulnerability is CVE-2022-38028. Microsoft says that Forest Blizzard has used this issue, when found on networks it is targeting, to deploy a malware program labeled GooseEgg.
Microsoft says:
While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks.
Forest Blizzard has used GooseEgg to gain access and take data from networks in North America, Ukraine, and Western Europe. This activity has been going on for as long as four years. The blog says that the reveal of the use of this tool by Forest Blizzard "is a unique discovery that had not been previously reported by security providers." There"s no word in the blog on how successful the group has been with the use of GooseEgg in compromising networks and stealing data.
Microsoft patched the issue with the Windows Print Spooler service in October 2022. Obviously, the company is recommending that companies that use the service but have yet to update it do so. Microsoft also suggests disabling the service on domain controllers and using Microsoft Defender Antivirus to detect if the GooseEgg tool is in their network.