Microsoft Fixes Exploit Used By Russian Threat Actors

Tyler Cross
Tyler Cross Senior Writer
Published on: April 25, 2024
Tyler Cross Tyler Cross
Published on: April 25, 2024 Senior Writer

The tech giant, Microsoft, recently fixed a vulnerability with its Windows software that Russian-based hackers were exploiting. The threat actors answer to multiple group names, including APT 28, Forrest Blizzard, and Fancy Bear.

Typically, the group is known for launching a variety of phishing and spoofing attacks at various companies worldwide. Multiple researchers into the group concluded that they carry out attacks that benefit the Russian state, leading many to conclude they’re a genuine state-sponsored hacking group.

They exploited the Windows Printer Spooler service to give themselves administrative privileges and steal compromised information from Microsoft’s network. The operation involved the use of GooseEgg, a newly identified malware tool APT 28 customized for the operation.

In the past, the group created other hacking tools, such as X-Tunnel, XAgent, Foozer, and DownRange. The group uses these tools to both launch attacks and sell the equipment to other criminals. This is known as a malware-as-a-service model.

The vulnerability, dubbed CVE-2022-38028, went undetected for multiple years, allowing these hackers ample opportunities to harvest sensitive data from Windows.

APT 28 is “using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations,” explains Microsoft.

The hackers “follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks.”

Several cybersecurity experts have spoken out after the discovery of CVE-2022-38028, voicing their concerns about the industry.

“Security teams have become incredibly efficient at identifying and remediating CVEs, but increasingly it’s these environmental vulnerabilities – in this case within the Windows Print Spooler service, which manages printing processes – that create security gaps giving malicious actors access to data,” writes Greg Fitzgerald, co-founder of Sevco Security.

Microsoft has fixed the security exploit, but the potential damages from this multi-year-long breach are unknown and the hacker group is still at-large.

About the Author
Tyler Cross
Tyler Cross
Senior Writer
Published on: April 25, 2024

About the Author

Tyler is a writer at SafetyDetectives with a passion for researching all things tech and cybersecurity. Prior to joining the SafetyDetectives team, he worked with cybersecurity products hands-on for more than five years, including password managers, antiviruses, and VPNs and learned everything about their use cases and function. When he isn't working as a "SafetyDetective", he enjoys studying history, researching investment opportunities, writing novels, and playing Dungeons and Dragons with friends."