Skip to main content
close search
site logo
Dive Brief

Vintage Microsoft flaw resurfaces, threat actors attack with golden GooseEgg

State-linked actors are using a custom tool for post exploitation activity of a vulnerability in Windows Print Spooler, which could result in credential theft and backdoor installs.

Published April 24, 2024
David Jones's headshot
Reporter
Printer
Simonkr via Getty Images

Dive Brief:

  • Forest Blizzard, a Russia-linked threat group, is using a custom-made tool called GooseEgg to exploit a privilege escalation vulnerability in Windows Print Spooler, Microsoft Threat Intelligence said Monday. The exploit allows malicious actors to escalate privileges and steal credentials.
  • Forest Blizzard has used the tool since at least June 2020 to exploit the vulnerability against targets across government, education and transport sectors in Ukraine, Western Europe and North America. The malicious activity may have begun as early as April 2019, Microsoft said.
  • The Cybersecurity and Infrastructure Security Agency on Tuesday added the vulnerability, listed as CVE-2022-38028, to its known exploited vulnerabilities catalog.

Dive Insight:

The malicious activity involves "modifying a JavaScript constraints file and executing it with SYSTEM-level permissions," according to Microsoft researchers. 

Hackers using the GooseEgg tool can also enable remote code execution, backdoor installs and lateral movements through compromised networks, Microsoft said. 

U.S. and U.K. authorities have linked Forest Blizzard to the Russian General Staff Main Intelligence Directorate, which relies on other exploits, including CVE-2023-23397, a critical escalation of privilege vulnerability in Microsoft Windows. 

Russia-linked actors have previously exploited the PrintNightmare vulnerability, listed as CVE-2021-34527 and CVE-2021-1675. But the malicious activity using GooseEgg is newly disclosed, Microsoft researchers said. 

PrintNightmare previously led to major exploitation activity. In 2022, CISA and the FBI warned that state-sponsored threat groups gained access to a non-governmental organization by exploiting the PrintNightmare vulnerability as well as default multifactor authentication protocols.  

“Printers can become the attack path into your corporation,” Tom Kellerman, SVP of cyber strategy at Contrast Security, said in a statement. “Russia continues to exploit older vulnerabilities because many organizations do not have proper vulnerability management for their printers.”

U.S. authorities targeted Forest Blizzard earlier this year in takedown of Moobot, an operation that exploited vulnerable edge devices to launch spear phishing and credential harvesting. 

Filed Under: Vulnerability, Threats

Editors' picks

Company Announcements

View all | Post a press release
Chemonics International Data Breach Investigation
From Migliaccio & Rathod LLP
December 04, 2024
Why Cybersecurity Leaders Trust the MITRE ATT&CK Evaluations
From Cynet Security
December 05, 2024
Only Cynet Delivers 100% Protection and 100% Detection Visibility in the 2024 MITRE ATT&CK Eva…
From Cynet Security
December 11, 2024
Rumpke Data Breach Investigation
From Migliaccio and Rathod
December 11, 2024
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.