Jump to content
  • Sign Up
×
×
  • Create New...
New feature: 1 Vote = 0.10€ for server Owner!

GooseEgg proves golden for Fancy Bear, says Microsoft

Pelican Press

By Pelican Press,
in World News

 Share

Recommended Posts

  • Diamond Member
Pelican Press Warlord

Pelican Press 0

Posted
  • Diamond Member
Posted



GooseEgg proves golden for Fancy Bear, says
This is the hidden content, please

The Russia-backed advanced persistent threat (APT) operation tracked as Forest Blizzard by

This is the hidden content, please
– but more commonly known as Fancy Bear or APT28 – is exploiting a two-year-old vulnerability in the Windows Print Spooler with a custom tool to target education, government and transport sector organisations in Ukraine, Western Europe and North America.

The tool, referred to as GooseEgg, exploits

This is the hidden content, please
– an elevation of privilege vulnerability with a CVSS base score of 7.8 – and Fancy Bear has likely been using it since June 2020, and possibly as early as April 2019.

The tool works by modifying a JavaScript constraints file and then executing it with system-level permissions, enabling the threat actor to elevate their privileges and steal vital credentials from its victims.

Although GooseEgg is a relatively simple launcher, it can also spawn other applications specified at the command line with elevated privileges – enabling its user to support other objectives, including the installation of backdoors, lateral movement and remote code **********.

Russian threat actors have long been keen on similar vulnerabilities – such as PrintNightmare, which emerged in 2021 – but according to

This is the hidden content, please
, the use of GooseEgg is a “unique discovery” that has never been previously reported.

This is the hidden content, please
is committed to providing visibility into observed malicious activity and sharing insights on threat actors to help organisations protect themselves,” said the
This is the hidden content, please
Threat Intelligence team
This is the hidden content, please
. “Organisations and users are to apply the CVE-2022-38028 security update to mitigate this threat, while
This is the hidden content, please
Defender Antivirus detects the specific Forest Blizzard capability as HackTool:Win64/GooseEgg.”

In addition to this, said the team, since Windows Print Spooler isn’t needed for domain controller operations, it’s recommended that it be disabled on domain controllers if feasible.

Beyond this,

This is the hidden content, please
said users should strive to be “proactively defensive”, taking steps such as following credential hardening recommendations; running endpoint detection and response (EDR) in block mode to allow
This is the hidden content, please
Defender for Endpoint to block malicious artefacts even if other antiviruses have not spotted them; allowing Defender for Endpoint to automate investigation and remediation of issues; and activating cloud-delivered protection in
This is the hidden content, please
Defender Antivirus.

This is the hidden content, please
co-founder Greg Fitzgerald said the discovery of GooseEgg spoke to a wider issue in the security world than merely a lack of attention to vulnerability management.

“Security teams have become incredibly efficient at identifying and remediating CVEs,” he said, “but increasingly it’s these environmental vulnerabilities – in this case within the Windows Print Spooler service, which manages printing processes – that create security gaps giving malicious actors access to data.

“These vulnerabilities are hiding in plain sight throughout IT environments, creating a landscape of threats that security teams can’t see, but are still accountable for,” said Fitzgerald. “The unfortunate reality is that most organisations are unable to create an accurate IT asset inventory that reflects the entirety of their ******* surface.

“This puts them at the mercy of attackers who know where to look for forgotten IT assets that contain exploitable vulnerabilities.”

More guidance on detecting, hunting and responding to GooseEgg is

This is the hidden content, please
.





This is the hidden content, please

#GooseEgg #proves #golden #Fancy #Bear #

This is the hidden content, please

This is the hidden content, please

0

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Vote for the server

    To vote for this server you must login.

    Jim Carrey Flirting GIF

  • Recently Browsing   0 members

    • No registered users viewing this page.

Important Information

Privacy Notice: We utilize cookies to optimize your browsing experience and analyze website traffic. By consenting, you acknowledge and agree to our Cookie Policy, ensuring your privacy preferences are respected.

  I accept