For around four years, Forest Blizzard (also known as Fancy Bear or APT28) has utilized a custom tool targeting a specific vulnerability in the Windows Print Spooler service (CVE-2022-38028). Named GooseEgg, this tool enables hackers to execute remote code, install backdoors, and steal credentials by granting them SYSTEM-level permissions.
According to Microsoft threat analysts, Forest Blizzard has used GooseEgg in attacks against governmental, educational, and transportation organizations in Ukraine, Western Europe, and North America.
Recently, the group has been observed exploiting a known vulnerability in Microsoft Outlook (CVE-2023-23397) to compromise email accounts in Poland.
Authorities from the US and UK suspect Forest Blizzard's connection to Unit 26165 of the Russian GRU.
GooseEgg exploits CVE-2022-38028 by employing a batch script to execute the GooseEgg executable, establishing persistence as a scheduled task. The executable then triggers the exploit, launches malicious components with elevated permissions, and applies patches to system files.
Microsoft advises organizations to install security updates for CVE-2022-38028 and, if unnecessary, to disable the Print Spooler service. Additionally, Microsoft is developing Windows Protected Print Mode as a replacement for the Print Spooler service due to its frequent exploitation by attackers.