Russia's APT28 Exploited Windows Print Spooler Flaw to Deploy 'GooseEgg' Malware
Apr 23, 2024
National Security Agency / Threat Intelligence
The Russia-linked nation-state threat actor tracked as APT28 weaponized a security flaw in the Microsoft Windows Print Spooler component to deliver a previously unknown custom malware called GooseEgg. The post-compromise tool, which is said to have been used since at least June 2020 and possibly as early as April 2019, leveraged a now-patched flaw that allowed for privilege escalation (CVE-2022-38028, CVSS score: 7.8). It was addressed by Microsoft as part of updates released in October 2022, with the U.S. National Security Agency (NSA) credited for reporting the flaw at the time. According to new findings from the tech giant's threat intelligence team, APT28 – also called Fancy Bear and Forest Blizzard (formerly Strontium) – weaponized the bug in attacks targeting Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations. "Forest Blizzard has used the tool [...] to exploit the CVE-2022-38028 vu