Microsoft warns of 2 year old vulnerability actively exploited by hacking groups
Take action: A lesson in regular patching, even if there is no active exploit advisory. For unknown reasons Microsoft kept quiet about the active attack for years. If you have a computer missing 2 years of patching, better hope you haven't fallen for phishing attack or inserted a USB with a virus. And patch NOW.
Learn More
Microsoft has reported that the Russian APT28 threat group, also known as Forest Blizzard, has been exploiting a Windows Print Spooler vulnerability, tracked as CVE-2022-38028 (CVSS score 7.8), to escalate privileges and steal credentials and data.
The vulnerability has been exploited since at least June 2020, and possibly as early as April 2019. The hacking tool used in these attacks is a previously unknown tool called GooseEgg.
Microsoft patched this vulnerability during their October 2022 Patch Tuesday but did not tag it as actively exploited in its advisory. Users are advised to ensure they have updated their systems to mitigate the risk from this and other vulnerabilities.
GooseEgg allows the attackers to launch and deploy additional malicious payloads and execute various commands with SYSTEM-level privileges. The exploit typically involves the use of a Windows batch script that deploys GooseEgg and gains persistence on the compromised system through a scheduled task.
The DLL file dropped by GooseEgg, sometimes named 'wayzgoose23.dll', functions as an app launcher that can execute other payloads with SYSTEM-level permissions. This capability enables the attackers to deploy backdoors, move laterally through networks, and run remote code on breached systems.
APT28/Forest Blizzard is suspected to be linked to Russia's GRU military intelligence and has targeted a wide array of organizations, primarily in the US, Europe, and the Middle East, focusing on intelligence gathering.
