HQ/EMEAFind out how we can help your business
One of the most notorious Russia-based cyber espionage groups, known as APT28 or Strontium, was recently exposed in a new hacking campaign dubbed “GooseEgg.” Based on reports, this group has been exploiting a vulnerability in the Windows Print Spooler system for years, using a tool called GooseEgg to steal credentials and sensitive information.
The NSA initially found the exploit, CVE-2022-38028, which Microsoft addressed and patched in October a couple of years ago. GooseEgg, APT28’s post-compromise tool, enables them to modify a JavaScript file with system-level privileges, facilitating data theft from targeted networks.
This seemingly harmless launcher application can escalate their privileges and carry out additional malicious acts such as remote code execution and backdoor installation.
While APT28 is well-known for its cyberespionage efforts, it prefers to acquire intelligence rather than launch harmful cyberattacks. This most recent effort has targeted a variety of sectors, including government, non-governmental organisations, education, and transportation in Ukraine, Western European countries, and North America.
APT28’s usage of GooseEgg in Forest Blizzard operations is a novel technique that caught researchers off guard.
Although similar vulnerabilities, such as PrintNightmare, have previously been exploited by Russian threat actors, the usage of GooseEgg in Forest Blizzard operations is a new revelation.
To address the risk posed by APT28 and GooseEgg, system administrators should patch CVE-2022-38028 and disable the Print Spooler on domain controllers. Additionally, adopting Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) solutions can aid in detecting and responding to suspicious activities linked with GooseEgg.
In addition, Microsoft Defender Antivirus may detect GooseEgg as HackTool:Win64/GooseEgg, giving an extra layer of protection against this threat. However, it is critical to note that APT28’s tactics, methods, and procedures (TTPs) may vary over time, needing continuous awareness and adaptation to cybersecurity measures.
Organisations should keep tabs on this threat and be cautious about their digital presence, as the threat actors could alter their techniques to make their campaigns more efficient.
