In a recent warning, Microsoft Threat Intelligence researchers have alerted Windows users about an ongoing cyber-espionage campaign conducted by Russian state-sponsored hackers. These hackers, commonly known as APT28 or Fancy Bear, but tracked by Microsoft as Forest Blizzard, have been using a custom tool called GooseEgg to steal credentials and install backdoors on systems.

Forest Blizzard, allegedly affiliated with Russia's GRU military intelligence agency's Military Unit 26165, has primarily targeted government, education, and transport sector organizations in the United States, Western Europe, and Ukraine, according to Microsoft. Their main focus is gathering strategic intelligence.

GooseEgg, initially thought to be a simple launcher application, exploits a patched vulnerability in the Windows Print Spooler service, marked as CVE-2022-38028. The National Security Agency first reported this vulnerability, and it was fixed in the October 2022 Patch Tuesday rollout. The malicious tool manipulates a JavaScript constraints file, granting it SYSTEM-level permissions. This allows the hackers to spawn other applications with elevated privileges, facilitating remote code execution, backdoor installation, and lateral movement within compromised networks.

Microsoft's Threat Intelligence report indicates that APT28 has been using GooseEgg as early as April 2019, with continued use at least until June 2020. In addition to CVE-2022-38028, the hackers have also exploited vulnerabilities such as PrintNightmare, disclosed in 2021, as well as CVE-2023-23397, CVE-2021-34527, and CVE-2021-1675.

The severity of this cyber-espionage campaign emphasizes the importance of promptly patching vulnerabilities. Microsoft urges organizations and users to apply the security update for CVE-2022-38028, as it mitigates this specific attack. Microsoft Defender Antivirus has identified the Forest Blizzard capability as HackTool:Win64/GooseEgg.

Staying vigilant and keeping systems up to date with the latest security patches remain crucial measures in safeguarding against such targeted attacks.