Analysis Summary

The nation-state threat actor with ties to Russia, identified as APT28, used a Microsoft Windows Print Spooler component security flaw to distribute GooseEgg, a previously unidentified bespoke malware.

According to reports, the post-compromise tool was in use as early as April 2019 and may have been in use since June 2020. It took advantage of a vulnerability that has since been fixed that allowed for privilege escalation (CVE-2022-38028, CVSS score: 7.8). Microsoft fixed it in updates that were made available in October 2022, and the National Security Agency (NSA) of the United States is credited with first bringing attention to the issue at that time.

APT28, also known as Fancy Bear and Forest Blizzard (formerly Strontium), weaponized the vulnerability in attacks against government, non-governmental, educational, and transportation sector organizations in Ukraine, Western Europe, and North America, according to recent findings from the tech giant's threat intelligence team.

“While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks,” reads the report.

By altering a JavaScript constraints file and running it with SYSTEM-level permissions, APT28 has utilized the tool to exploit the CVE-2022-38028 vulnerability in the Windows Print Spooler service. According to the assessment, APT28 is connected to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), Unit 26165, the military intelligence organization of the Russian Federation. The APT group supported by the Kremlin has been active for about 15 years, and its main objective is to gather intelligence for the Russian government's foreign policy efforts.

APT28 threat actors have also exploited a code execution weakness in WinRAR (CVE-2023-38831, CVSS score: 7.8) and a privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) in recent months, demonstrating their ability to quickly incorporate public exploits into their tradecraft.

By using GooseEgg, APT28 hopes to obtain privileged access to target computers to steal data and credentials. The most common way to deploy GooseEgg is via a batch script. The exploit can be initiated by commands that the GooseEgg binary supports, launching an executable with elevated rights or a dynamic-link library (DLL) that is supplied. Additionally, it uses the whoami command to confirm whether the exploit has been successfully enabled.

It is recommended that customers who have not yet applied these patches do so right now for the security of their company. Furthermore, Microsoft advises deactivating the Print Spooler service on domain controllers because it isn't necessary for domain controller operations.

Impact

• Privilege Escalation
• Cyber Espionage
• Sensitive Data Theft

Indicators of Compromise

SHA1

• 2635fe5b8029d65ed3229f5f14d7cf51df100542
• bd1834afcd4d2709dd0a541b16521abe2410a9f2
• d1dd6017cd0a82f1e000a84e166a20c40270215d
• c00c21b43dffd78391c232ff1290089f8993c757

Remediation

• Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.
• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Perform comprehensive security audits on the email server infrastructure to identify and address any potential weaknesses. This includes reviewing server configurations, access controls, and encryption protocols to ensure they meet industry best practices.
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Enable 2FA for user accounts on the email server to add an extra layer of security. This prevents unauthorized access even if usernames and passwords are compromised.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Implement network segmentation to isolate critical systems and sensitive data from the rest of the network. This limits the lateral movement of attackers in case of a breach and reduces the impact of potential future attacks.
• Implement a regular backup strategy for email servers and critical data. Ensure that backups are stored securely and regularly tested for data restoration.
• Apply the latest security patches and updates to the email server software and associated components to address any vulnerabilities that may have been exploited by APT28. Also, prioritize patching known exploited vulnerabilities and zero-days.