Newly Discovered GooseEgg Malware: Russian Hackers Forest Blizzard Exploit Print Spooler Vulnerability Since 2020

Moscow, Moscow Oblast, Russia Russian Federation
Forest Blizzard typically targets strategic intelligence assets, government organizations, technology companies, education sector, transportation sector and other nongovernmental organizations in the U.S., Europe and the Middle East.
In addition to CVE-2022-38028, Forest Blizzard also exploits other bugs such as CVE-20397, affecting all versions of Microsoft Outlook software on Windows devices.
Microsoft patched the Print Spooler security flaw in 2022; customers who haven't implemented these fixes are urged to do so for their organization's security.
Russian state-sponsored hackers Forest Blizzard have been using the GooseEgg malware since at least June 2020.
The malware exploits a vulnerability in the Windows Print Spooler service to perform remote code execution, install backdoors, and move laterally through networks.
Newly Discovered GooseEgg Malware: Russian Hackers Forest Blizzard Exploit Print Spooler Vulnerability Since 2020

Microsoft researchers have discovered a new malware named GooseEgg, which has been used by Russian state-sponsored hackers Forest Blizzard since at least June 2020. The malware exploits a vulnerability in the Windows Print Spooler service and allows attackers to perform remote code execution, install backdoors, and move laterally through compromised networks.

The hackers typically target strategic intelligence assets, government organizations, technology companies, education sector, transportation sector, and other nongovernmental organizations in the U.S., Europe, and the Middle East. Microsoft has observed that Forest Blizzard also targets media organizations and educational institutions.

Microsoft patched the Print Spooler security flaw in 2022. Customers who have not implemented these fixes yet are urged to do so as soon as possible for their organization's security.

In addition to CVE-2022-38028, Forest Blizzard also exploits other bugs such as CVE-2023-23397, which affects all versions of Microsoft Outlook software on Windows devices. The group has been attempting to use the Microsoft Outlook bug to gain unauthorized access to email accounts within Microsoft Exchange servers since as early as April 2022.

Forest Blizzard is a sophisticated threat actor associated with Russia's military intelligence agency, the GRU. The group was previously known as Fancy Bear and APT28.

Microsoft advises organizations to implement security best practices such as applying software patches promptly, enabling multifactor authentication, and using endpoint protection solutions to mitigate the risk of GooseEgg and other similar threats.


Article Image
Article Image
Article Image
Article Image
Article Image
Article Image
Article Image
Article Image
Article Image
Article Image
Article Image
Article Image

Confidence

90%

Doubts
  • Are there any indications that Forest Blizzard has shifted its tactics or targets in response to the patches?
  • Have all known vulnerabilities exploited by Forest Blizzard been included in Microsoft's patches?
  • Is there any information on how many organizations have been affected by the GooseEgg malware?

Sources

95%

The overall score is a weighted number that takes into account conflict of interest, bias, deception and other practices that undermine the credibility of the source. It is calculated as:
(Site Conflicts Of Interest + Author Conflicts Of Interest) / 2.0 * 0.2 + ArticleBiasScore * 0.20 + UniquePointsScore * 0.05 + DeceptionScore * 0.20 + ReadabilityScore * 0.05 + FallacyScore * 0.20

A score that takes into consideration the content for flow, interruptions with ads, and overt search engine optimization techniques that makes the content hard to understand

Windows vulnerability reported by the NSA exploited to install Russian malware

Ars Technica Dan Goodin Monday, 22 April 2024 20:36
  • Unique Points
    • Kremlin-backed hackers have been exploiting a critical Microsoft vulnerability for four years.
  • Accuracy
    • The vulnerability, CVE-2022-38028, was patched by Microsoft in October 2021.
    • GooseEgg allows attackers to perform remote code execution, install backdoors and move laterally through compromised networks.
  • Deception (100%)
    None Found At Time Of Publication
  • Fallacies (95%)
    The author makes several assertions in the article that are based on facts and do not contain any logical fallacies. However, there is one instance of an appeal to authority when the author states that 'the US and the UK governments have linked Forest Blizzard to Unit 26165 of the Main Intelligence Directorate, a Russian military intelligence arm better known as the GRU.' This statement does not contain any logical fallacies on its own, but it is important to note that it is an appeal to authority as the author is relying on the statements of other entities (the US and UK governments) to make her assertion.
    • ]The US and the UK governments have linked Forest Blizzard to Unit 26165 of the Main Intelligence Directorate, a Russian military intelligence arm better known as the GRU.[/
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (100%)
    None Found At Time Of Publication

98%

The overall score is a weighted number that takes into account conflict of interest, bias, deception and other practices that undermine the credibility of the source. It is calculated as:
(Site Conflicts Of Interest + Author Conflicts Of Interest) / 2.0 * 0.2 + ArticleBiasScore * 0.20 + UniquePointsScore * 0.05 + DeceptionScore * 0.20 + ReadabilityScore * 0.05 + FallacyScore * 0.20

A score that takes into consideration the content for flow, interruptions with ads, and overt search engine optimization techniques that makes the content hard to understand

Microsoft unmasks Russia-linked ‘GooseEgg’ malware

The Record from Recorded Future News Tuesday, 23 April 2024 05:45
  • Unique Points
    • Microsoft researchers discovered a new malware named GooseEgg used by Russian state-sponsored hackers Forest Blizzard since at least June 2020.
    • GooseEgg allows attackers to perform remote code execution, install backdoors and move laterally through compromised networks.
    • GRU hackers typically target strategic intelligence assets, government, energy, transportation and nongovernmental organizations in the U.S., Europe and the Middle East.
  • Accuracy
    • The vulnerability, CVE-2022-38028, was patched by Microsoft in October 2021 updates.
    • GooseEgg is capable of spawning other applications specified at the command line with elevated permissions allowing for follow-on objectives such as remote code execution or installing a backdoor.
  • Deception (100%)
    None Found At Time Of Publication
  • Fallacies (100%)
    None Found At Time Of Publication
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (0%)
    None Found At Time Of Publication

98%

The overall score is a weighted number that takes into account conflict of interest, bias, deception and other practices that undermine the credibility of the source. It is calculated as:
(Site Conflicts Of Interest + Author Conflicts Of Interest) / 2.0 * 0.2 + ArticleBiasScore * 0.20 + UniquePointsScore * 0.05 + DeceptionScore * 0.20 + ReadabilityScore * 0.05 + FallacyScore * 0.20

A score that takes into consideration the content for flow, interruptions with ads, and overt search engine optimization techniques that makes the content hard to understand

Russia's APT28 Exploited Windows Print Spooler Flaw to Deploy 'GooseEgg' Malware

The Hacker News Tuesday, 23 April 2024 04:23
  • Unique Points
    • The Russia-linked nation-state threat actor tracked as APT28 weaponized a security flaw in the Microsoft Windows Print Spooler component to deliver a previously unknown custom malware called GooseEgg.
    • GooseEgg is capable of spawning other applications specified at the command line with elevated permissions allowing for follow-on objectives such as remote code execution or installing a backdoor.
  • Accuracy
    • ]The Russia-linked nation-state threat actor tracked as APT28 weaponized a security flaw in the Microsoft Windows Print Spooler component to deliver a previously unknown custom malware called GooseEgg.[
    • Microsoft patched the Print Spooler security flaw in [2021, 2023] and urges customers to implement the fixes as soon as possible for their organization’s security.
  • Deception (100%)
    None Found At Time Of Publication
  • Fallacies (100%)
    None Found At Time Of Publication
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (0%)
    None Found At Time Of Publication