0
0
Kremlin-Linked Hackers Exploit Microsoft Vulnerability
Recently, it was revealed that Kremlin-backed hackers have been exploiting a critical vulnerability in Microsoft software for the past four years. The attacks targeted numerous organizations using a previously unknown tool. This information was disclosed by Microsoft on Monday, shedding light on the extensive and ongoing exploitation of the vulnerability.
Vulnerability Overview
The vulnerability in question, known as CVE-2022-38028, enables attackers to gain system privileges within Windows. This vulnerability, with a severity rating of 7.8 out of 10, poses a significant threat. To exploit it, attackers require only low existing privileges and minimal complexity. The vulnerability is located in the Windows print spooler, a crucial printer-management component that has been targeted by previous critical exploits.
Microsoft first became aware of CVE-2022-38028 through the US National Security Agency and issued a patch in October 2022. However, the company did not initially disclose that the vulnerability was actively exploited in the wild by Russian hackers.
Exploitation by Forest Blizzard
The hacking group responsible for exploiting CVE-2022-38028 is known as Forest Blizzard. They have been utilizing this vulnerability since at least June 2020, and possibly as early as April 2019. Forest Blizzard is also associated with other monikers such as APT28, Sednit, Sofacy, GRU Unit 26165, and Fancy Bear. The group’s activities have been linked to Unit 26165 of the Main Intelligence Directorate, a Russian military intelligence agency.
Forest Blizzard primarily focuses on intelligence-gathering by targeting a wide range of organizations, particularly in the US, Europe, and the Middle East. They exploit the vulnerability to acquire system privileges and deploy a tool named GooseEgg for post-exploitation activities. This tool serves as a launching pad for installing additional malware, including credential stealers and lateral movement tools.
GooseEgg Post-Exploitation Tool
GooseEgg is a simple yet powerful post-exploitation tool developed by Microsoft. Once system privileges are obtained, GooseEgg provides threat actors with the ability to customize follow-on objectives such as remote code execution, backdoor installation, and lateral movement within compromised networks. The tool is typically installed using a batch script following successful exploitation of CVE-2022-38028 or similar vulnerabilities.
Forest Blizzard has also exploited CVE-2023-23397 according to the latest advisory from Microsoft. This ongoing exploitation of critical vulnerabilities underscores the need for organizations to remain vigilant and promptly apply security patches to protect against sophisticated cyber threats.
Image/Photo credit: source url
