Forest Blizzard or APT28(STRONTIUM) abuses a Windows Print Spooler vulnerability, says Microsoft

Recently, Microsoft has warned that the Russian APT28 hackers group is exploiting a Windows Print Spooler vulnerability. This abuse includes elevating privileges and stealing credentials & data using a hacking tool, GooseEgg.

Microsoft mentioned in the report that:

Since at least June 2020 and possibly as early as April 2019, Forest Blizzard(APT28) has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions. 

How does this work?

Microsoft also said that they noticed Forest Blizzard using GooseEgg as a part of its post-compromise activities. They target a range of organizations, including governmental and non-governmental entities, educational institutions, and transportation sector organizations in Western Europe, Ukraine, and North America.

GooseEgg appears to be a simple launcher app; however, it has the capacity to initiate other apps as specified through the command line with elevated rights. This empowers threat actors to facilitate several follow-on objectives, including deploying a backdoor, remote code execution, and traversing an infected network laterally.

Forest Blizzard (APT28), previously known as STRONTIUM, which is associated with the Russian General Staff Main Intelligence Directorate (GRU) by both the United Kingdom and United States governments, mainly targets strategic intelligence objectives.

Moreover, it differs from other GRU-affiliated groups, Seashell Blizzard (IRIDIUM) and Cadet Blizzard (DEV-0586), and its focus is on collecting strategic intelligence.

The US National Security Agency informed the company about this flaw, and the Redmond tech giant fixed the flaw during the Microsoft October 2022 Patch Tuesday. However, Microsoft has not confirmed any instances of it being actively exploited in the security update guide.

Microsoft is committed to informing about detected malware activities and is keen on sharing insights on threat actors to help organizations protect themselves from these threats.

To prevent your organization from being a victim, you must apply the CVE-2022-38028 security update. Also, Microsoft Defender Antivirus identifies the specific Forest Blizzard capability as HackTool: Win64/GooseEgg. If you want to learn more about Forest Blizzard and GooseEgg, you can read the official security blog by Microsoft.

Apart from applying the patch, here are some other recommendations suggested by Microsoft in the security blog:

Reduce the Print Spooler vulnerability

Microsoft released a security update for the Print Spooler vulnerability exploited by GooseEgg on October 11, 2022 and updates for PrintNightmare vulnerabilities on June 8, 2021 and July 1, 2021. Customers who have not implemented these fixes yet are urged to do so as soon as possible for their organization’s security. In addition, since the Print Spooler service isn’t required for domain controller operations, Microsoft recommends disabling the service on domain controllers. Otherwise, users can install available Windows security updates for Print Spooler vulnerabilities on Windows domain controllers before member servers and workstations. To help identify domain controllers that have the Print Spooler service enabled, Microsoft Defender for Identity has a built-in security assessment that tracks the availability of Print Spooler services on domain controllers.

Be proactively defensive

• For customers, follow the credential hardening recommendations in our on-premises credential theft overview to defend against common credential theft techniques like LSASS access.
• Run Endpoint Detection and Response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.    
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume. 
• Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.

Microsoft Defender XDR customers can turn on the following attack surface reduction rule to prevent common attack techniques used for GooseEgg. Microsoft Defender XDR detects the GooseEgg tool and raises an alert upon detection of attempts to exploit Print Spooler vulnerabilities regardless of whether the device has been patched.

•  Block credential stealing from the Windows local security authority subsystem (lsass.exe)

As mentioned earlier, if you suspect that your system is compromised, you can run Microsoft Defender Antivirus, which can detect threat components such as HackTool: Win64/GooseEgg.

Microsoft Defender for Endpoint and Microsoft Defender for Identity can also alert you to indicate threat activity related to this Forest Blizzard, which includes CVE-2021-34527 exploitation, spoolsv.exe’s suspicious behavior, and suspected elevation of rights through print filter pipeline service.

To conclude, organizations are advised to stay vigilant and implement the security measures mentioned by Microsoft to avoid falling into a trap by such threat actors.

What do you think about this attack? Share your opinions with our readers in the comments section below.