Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials

Microsoft Threat Intelligence is publishing results of our longstanding investigation into activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials in compromised networks.

Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions. Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations.

Read more…
Source: Microsoft

Sign up for our Newsletter


  • Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)

    August 29, 2023

    On June 15, 2023, Mandiant released a blog post detailing an 8-month-long global espionage campaign conducted by a Chinese-nexus threat group tracked as UNC4841. Over the course of this follow up blog post, Mandiant researchers will detail how UNC4841 has continued to show sophistication and adaptability in response to remediation efforts. Specifically, UNC4841 deployed new and ...

  • Flax Typhoon using legitimate software to quietly access Taiwanese organizations

    August 24, 2023

    Microsoft has identified a nation-state activity group tracked as Flax Typhoon, based in China, that is targeting dozens of organizations in Taiwan with the likely intention of performing espionage. Flax Typhoon gains and maintains long-term access to Taiwanese organizations’ networks with minimal use of malware, relying on tools built into the operating system, along with ...

  • Lazarus Group’s infrastructure reuse leads to discovery of new malware

    August 24, 2023

    In the new Lazarus Group campaign we recently disclosed, the North Korean state-sponsored actor continues to use much of the same infrastructure despite those components being well-documented by security researchers over the years. Their continued use of the same tactics, techniques and procedures (TTPs) — many of which are publicly known — highlights the group’s confidence ...

  • Carderbee: APT Group use Legit Software in Supply Chain Attack Targeting Orgs in Hong Kong

    August 22, 2023

    A previously unknown advanced persistent threat (APT) group used the legitimate Cobra DocGuard software to carry out a supply chain attack with the goal of deploying the Korplug backdoor (aka PlugX) onto victim computers. In the course of this attack, the attackers used malware signed with a legitimate Microsoft certificate. Most of the victims in this ...

  • Common TTPs of attacks against industrial organizations

    August 10, 2023

    In 2022 Kaspersky investigated a series of attacks against industrial organizations in Eastern Europe. In the campaigns, the attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems. Based on similarities found between these campaigns and previously researched campaigns (e.g., ExCone, DexCone), including the use of FourteenHi variants, specific TTPs ...

  • Suspected Chinese cyber spies target unpatched SonicWall devices

    March 9, 2023

    Suspected Chinese cyber criminals have zeroed in on unpatched SonicWall gateways and are infecting the devices with credential-stealing malware that persists through firmware upgrades, according to Mandiant. The spyware targets the SonicWall Secure Mobile Access (SMA) 100 Series – a gateway device that provides VPN access to remote users. Read more… Source: The Register