Security
Headlines
HeadlinesLatestCVEs

Headline

Russia's Fancy Bear Pummels Windows Print Spooler Bug

The infamous Russian threat actor has created a custom tool called GooseEgg to exploit CVE-2022-38028 in cyber-espionage attacks against targets in Ukraine, Western Europe, and North America.

DARKReading
#vulnerability#windows#microsoft#cisco#js#java#intel#backdoor#rce#auth

Source: Science Photo Library via Alamy Stock Photo

A well-known Russian advanced persistent threat (APT) group has been using a custom tool to exploit a bug that been around for several years in the Windows Print Spooler service to elevate privileges and steal credentials in numerous intelligence-gathering attacks around the globe. It also appears to be paving the way for further attacks.

Fancy Bear (aka APT28, Forest Blizzard, Pawn Storm, Sofacy Group, and Strontium) is linked to the Russian General Staff Main Intelligence Directorate. It has been using a tool called GooseEgg since at least June 2020 and possibly as early as April 2019 to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service, Microsoft Threat Intelligence revealed in a blog post on April 22.

Microsoft patched the flaw, which allows an attacker who successfully exploits it to gain SYSTEM privileges, in October 2022. Fancy Bear is using GooseEgg to modify a JavaScript constraints file and execute it with SYSTEM-level permissions.

“While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks,” according to the post.

Microsoft discovered Fancy Bear deploying GooseEgg in attacks against various Ukrainian, Western European, and North American government, nongovernmental, education, and transportation sector organizations.

Windows Print Spooler, a printer services technology, is a popular target for attackers, who tend to pounce on numerous flaws affecting the software that manages the printing process in Windows. The most well-known of these is two security vulnerabilities collectively called PrintNightmare that were discovered in late June 2021 and spawned a series of well-documented attacks.

GooseEgg Malware Tailored for Windows Print Spooler

That Fancy Bear targeted the service itself is not out of the ordinary, according to Microsoft; however, its use of the newly discovered GooseEgg to elevate privileges in these attacks is a novel threat activity for the group. GooseEgg is typically deployed with a batch script that invokes a corresponding GooseEgg executable and sets up persistence as a scheduled task.

The GooseEgg binary then takes one of four commands, each with different runpaths. “While the binary appears to launch a trivial given command, in fact the binary does this in a unique and sophisticated manner, likely to help conceal the activity,” according to the post.

Two of the binary’s commands trigger the exploit for the Print Spooler flaw and launch either a provided dynamic link library (DLL) or executable with elevated permissions, while another command tests the exploit and checks that it has succeeded.

The name of an embedded malicious DLL file launched by GooseEgg typically includes the phrase “wayzgoose,” such as wayzgoose23.dll. That DLL as well as other components of the malware are deployed to one of several installation subdirectories created under the Windows directory C:\ProgramData, according to Microsoft Threat Intelligence.

The exploit ultimately replaces the C: drive symbolic link in the object manager to point to the newly created directory, resulting in Print Spooler being redirected to the actor-controlled directory containing the copied driver packages when it attempts to load this registry: C:\Windows\System32\DriverStore\FileRepository\pnms009.inf_amd64_a7412a554c9bc1fd\MPDW-Constraints.js.

Eventually, the auxiliary DLL wayzgoose.dll file launches in the context of the PrintSpooler service with SYSTEM permissions as “a basic launcher application capable of spawning other applications” with the same permissions, according to the post.

Keeping Fancy Bear Cyber Espionage at Bay

Fancy Bear has a history of attacking known vulnerabilities, particularly in Microsoft products, to compromise targets for its nefarious activities — which primarily involve, but are not limited to, intelligence gathering. Last year, it mounted a flurry of cyber-espionage attacks against government agencies in NATO countries and organizations in the Middle East that exploited CVE-2023-23397, a zero-click vulnerability in Microsoft’s Outlook email client.

While the group’s most high-profile attack may be its ties to hacking aimed at running interference in the 2016 US presidential elections, the group has been most notably active of late in various attacks against Ukraine since Russia’s war against the country began in February 2022.

The best way that organizations can protect themselves against attacks from the Russian APT is to apply patches for the vulnerable products that it targets. Microsoft recommended that users apply the CVE-2022-38028 security update to mitigate the GooseEgg threat against Windows Print Spooler; meanwhile, the Microsoft Defender Antivirus detects the specific Forest Blizzard capability as HackTool:Win64/GooseEgg.

Another way to mitigate the issue is to disable the Windows Print Spooler service domain controller operations, since it isn’t required, according to Microsoft. To help identify domain controllers that have the Print Spooler service enabled, Microsoft Defender for Identity has a built-in security assessment that tracks the availability of Print Spooler services on domain controllers.

Greg Fitzgerald, co-founder at Sevco Security, notes that printer bugs are particularly difficult to remediate because printers are often under-inventoried.

“Security teams have become incredibly efficient at identifying and remediating CVEs, but increasingly it’s these environmental vulnerabilities that create security gaps giving malicious actors access to data," Fitzgerald says. "These vulnerabilities are hiding in plain sight throughout IT environments, creating a landscape of threats that security teams can’t see, but are still accountable for. The unfortunate reality is that most organizations are unable to create an accurate IT asset inventory that reflects the entirety of their attack surface. This puts them at the mercy of attackers who know where to look for forgotten IT assets that contain exploitable vulnerabilities.”

About the Author(s)

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Related news

Hybrid Work Exposes New Vulnerabilities in Print Security

The shift to a distributed work model has exposed organizations to new threats, and a low but continuing stream of printer-related vulnerabilities isn't helping.

Russia's 'Fighting Ursa' APT Uses Car Ads to Install HeadLace Malware

The scheme, from the group also known as APT28, involves targeting Eastern European diplomats in need of personal transportation and tempting them with a purported good deal on a Audi Q7 Quattro SUV.

Russian APT28 Exploiting Windows Vulnerability with GooseEgg Tool

By Waqas Update Windows Now or Get Hacked: Microsoft Warns of Actively Exploited Vulnerability! This is a post from HackRead.com Read the original post: Russian APT28 Exploiting Windows Vulnerability with GooseEgg Tool

Microsoft Patch Tuesday, December 2023 Edition

The final Patch Tuesday of 2023 is upon us, with Microsoft Corp. today releasing fixes for a relatively small number of security holes in its Windows operating systems and other software. Even more unusual, there are no known "zero-day" threats targeting any of the vulnerabilities in December's patch batch. Still, four of the updates pushed out today address "critical" vulnerabilities that Microsoft says can be exploited by malware or malcontents to seize complete control over a vulnerable Windows device with little or no help from users.

Microsoft Releases Patch for Two New Actively Exploited Zero-Days Flaws

Microsoft has released software fixes to remediate 59 bugs spanning its product portfolio, including two zero-day flaws that have been actively exploited by malicious cyber actors. Of the 59 vulnerabilities, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. The update is in addition to 35 flaws patched in the Chromium-based Edge browser since last month's

Experts Detail New Zero-Click Windows Vulnerability for NTLM Credential Theft

Cybersecurity researchers have shared details about a now-patched security flaw in Windows MSHTML platform that could be abused to bypass integrity protections on targeted machines. The vulnerability, tracked as CVE-2023-29324 (CVSS score: 6.5), has been described as a security feature bypass. It was addressed by Microsoft as part of its Patch Tuesday updates for May 2023. Akamai security

From Ransomware to Cyber Espionage: 55 Zero-Day Vulnerabilities Weaponized in 2022

As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The

Threat Source newsletter (March 16, 2023) — A deep dive into Talos' work in Ukraine

The latest episode of ThreatWise TV from Hazel Burton is the closest look yet at the team Talos assembled in the days after Russia invaded Ukraine.

Microsoft Patch Tuesday, March 2023 Edition

Microsoft on Tuesday released updates to quash at least 74 security bugs in its Windows operating systems and software. Two of those flaws are already being actively attacked, including an especially severe weakness in Microsoft Outlook that can be exploited without any user interaction.

Microsoft Zero-Day Bugs Allow Security Feature Bypass

Security vendors urge organizations to fix the actively exploited bugs, in Microsoft Outlook and the Mark of the Web feature, immediately.

CVE-2023-23397

Microsoft Outlook Elevation of Privilege Vulnerability

Microsoft Mitigates Outlook Elevation of Privilege Vulnerability

May 9, 2023 update: Releases for Microsoft Products has been updated with the release of CVE-2023-29324 - Security Update Guide - Microsoft - Windows MSHTML Platform Security Feature Bypass Vulnerability March 24, 2023 update: Impact Assessment has been updated to a link to Guidance for investigating attacks using CVE-2023-23397 - Microsoft Security Blog.

CVE-2022-45103: DSA-2022-340: Dell Unisphere for PowerMax, Dell Unisphere for PowerMax vApp, Dell Solutions Enabler vApp, Dell Unisphere 360, Dell VASA Provider vApp, and Dell PowerMax EMB Mgmt Security Update for Mu

Dell Unisphere for PowerMax vApp, VASA Provider vApp, and Solution Enabler vApp version 9.2.3.x contain an information disclosure vulnerability. A low privileged remote attacker could potentially exploit this vulnerability, leading to read arbitrary files on the underlying file system.

Microsoft Patch Tuesday Fixes New Windows Zero-Day; No Patch for Exchange Server Bugs

Microsoft's Patch Tuesday update for the month of October has addressed a total of 85 security vulnerabilities, including fixes for an actively exploited zero-day flaw in the wild. Of the 85 bugs, 15 are rated Critical, 69 are rated Important, and one is rated Moderate in severity. The update, however, does not include mitigations for the actively exploited ProxyNotShell flaws in Exchange Server

Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched

The computing giant didn't fix ProxyNotLogon in October's Patch Tuesday, but it disclosed a rare 10-out-of-10 bug and patched two other zero-days, including one being exploited.

CVE-2022-38028

Windows Print Spooler Elevation of Privilege Vulnerability.

DARKReading: Latest News

US Ban on TP-Link Routers More About Politics Than Exploitation Risk