The tech giant, Microsoft, recently fixed a vulnerability with its Windows software that Russian-based hackers were exploiting. The threat actors answer to multiple group names, including APT 28, Forrest Blizzard, and Fancy Bear.
Typically, the group is known for launching a variety of phishing and spoofing attacks at various companies worldwide. Multiple researchers into the group concluded that they carry out attacks that benefit the Russian state, leading many to conclude they’re a genuine state-sponsored hacking group.
They exploited the Windows Printer Spooler service to give themselves administrative privileges and steal compromised information from Microsoft’s network. The operation involved the use of GooseEgg, a newly identified malware tool APT 28 customized for the operation.
In the past, the group created other hacking tools, such as X-Tunnel, XAgent, Foozer, and DownRange. The group uses these tools to both launch attacks and sell the equipment to other criminals. This is known as a malware-as-a-service model.
The vulnerability, dubbed CVE-2022-38028, went undetected for multiple years, allowing these hackers ample opportunities to harvest sensitive data from Windows.
APT 28 is “using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations,” explains Microsoft.
The hackers “follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks.”
Several cybersecurity experts have spoken out after the discovery of CVE-2022-38028, voicing their concerns about the industry.
“Security teams have become incredibly efficient at identifying and remediating CVEs, but increasingly it’s these environmental vulnerabilities – in this case within the Windows Print Spooler service, which manages printing processes – that create security gaps giving malicious actors access to data,” writes Greg Fitzgerald, co-founder of Sevco Security.
Microsoft has fixed the security exploit, but the potential damages from this multi-year-long breach are unknown and the hacker group is still at-large.