GooseEgg proves golden for Fancy Bear, says Microsoft

The Russia-backed advanced persistent threat (APT) operation tracked as Forest Blizzard by Microsoft – but more commonly known as Fancy Bear or APT28 – is exploiting a two-year-old vulnerability in the Windows Print Spooler with a custom tool to target education, government and transport sector organisations in Ukraine, Western Europe and North America.

The tool, referred to as GooseEgg, exploits CVE-2022-38028 – an elevation of privilege vulnerability with a CVSS base score of 7.8 – and Fancy Bear has likely been using it since June 2020, and possibly as early as April 2019.

The tool works by modifying a JavaScript constraints file and then executing it with system-level permissions, enabling the threat actor to elevate their privileges and steal vital credentials from its victims.

Although GooseEgg is a relatively simple launcher, it can also spawn other applications specified at the command line with elevated privileges – enabling its user to support other objectives, including the installation of backdoors, lateral movement and remote code execution.

Russian threat actors have long been keen on similar vulnerabilities – such as PrintNightmare, which emerged in 2021 – but according to Microsoft, the use of GooseEgg is a “unique discovery” that has never been previously reported.

“Microsoft is committed to providing visibility into observed malicious activity and sharing insights on threat actors to help organisations protect themselves,” said the Microsoft Threat Intelligence team in its write-up. “Organisations and users are to apply the CVE-2022-38028 security update to mitigate this threat, while Microsoft Defender Antivirus detects the specific Forest Blizzard capability as HackTool:Win64/GooseEgg.”

In addition to this, said the team, since Windows Print Spooler isn’t needed for domain controller operations, it’s recommended that it be disabled on domain controllers if feasible.

Beyond this, Microsoft said users should strive to be “proactively defensive”, taking steps such as following credential hardening recommendations; running endpoint detection and response (EDR) in block mode to allow Microsoft Defender for Endpoint to block malicious artefacts even if other antiviruses have not spotted them; allowing Defender for Endpoint to automate investigation and remediation of issues; and activating cloud-delivered protection in Microsoft Defender Antivirus.

Sevco Security co-founder Greg Fitzgerald said the discovery of GooseEgg spoke to a wider issue in the security world than merely a lack of attention to vulnerability management.

“Security teams have become incredibly efficient at identifying and remediating CVEs,” he said, “but increasingly it’s these environmental vulnerabilities – in this case within the Windows Print Spooler service, which manages printing processes – that create security gaps giving malicious actors access to data.

“These vulnerabilities are hiding in plain sight throughout IT environments, creating a landscape of threats that security teams can’t see, but are still accountable for,” said Fitzgerald. “The unfortunate reality is that most organisations are unable to create an accurate IT asset inventory that reflects the entirety of their attack surface.

“This puts them at the mercy of attackers who know where to look for forgotten IT assets that contain exploitable vulnerabilities.”

More guidance on detecting, hunting and responding to GooseEgg is available from Microsoft.