Forest Blizzard aka Fancy Bear Attack Detection: russian-backed Hackers Apply a Custom GooseEgg Tool to Exploit CVE-2022-38028 in Attacks Against Ukraine, Western Europe, and North America

The nefarious cyber-espionage hacking collective tracked as Forest Blizzard (aka Fancy Bear, STRONTIUM, or APT28) has been experimenting with a novel custom tool dubbed GooseEgg malware to weaponize the critical CVE-2022-38028 vulnerability in Windows Print Spooler. Adversaries are launching multiple intelligence-gathering attacks targeting organizations across the globe in diverse industry sectors. Successful privilege escalation and credential theft give adversaries the green light to perform RCE, drop malware, and proceed with further infection.

Detect the Latest Forest Blizzard Cyber-Espionage Operation

With exponentially growing APT threats that reflect escalating geopolitical tensions globally, cyber defenders are seeking reliable solutions to spot sophisticated attacks on time. Multiple russia-backed APT collectives are especially active while using Ukraine as a testing ground for new malicious TTPs. Further, proven methods are leveraged against major targets of interest for the Moscow government worldwide. 

The latest Forest Blizzard (aka Fancy Bear/APT28) campaign only intensifies this trend, with organizations in Ukraine, Western Europe, and North America being under attack. SOC Prime Platform for collective cyber defense aggregates a set of curated Sigma rules to help security professionals identify the malicious activity associated with this notorious cyber-espionage operation. Hit the Explore Detections button below and immediately drill down to a set of relevant detections.

Explore Detections

All the rules are compatible with 28 SIEM, EDR, and Data Lake technologies and mapped to the MITRE ATT&CK® framework. Additionally, detections are enriched with relevant threat intel, attack timelines, and metadata to smooth out threat investigation. 

Cybersecurity experts seeking more high-quality detection content to analyze Forest Blizzard TTPs retrospectively can browse SOC Prime’s Threat Detection Marketplace using the “Forest Blizzard” tag or follow this link. Our Sigma rules library contains detections related to CVE-2022-38028 exploitation attempts, which are available here. 

Forest Blizzard Attack Analysis: Insights into the Cyber-Espionage Campaign Abusing CVE-2022-38028

Microsoft Threat Intelligence has recently shared insights into the ongoing adversary campaign attributed to Fancy Bear (aka APT28, Forest Blizzard, Pawn Storm, Sofacy Group, or Strontium), a GRU-backed group that belongs to Unit 26165 of russia’s military intelligence agency. For over a four-year period, Forest Blizzard has been leveraging GooseEgg, a custom tool from the group’s adversary arsenal, to exploit the known elevation of privilege vulnerability in Windows Print Spooler (CVE-2022-38028) by modifying a JavaScript constraints file and running it with SYSTEM-level permissions.

Fancy Bear has a track record of weaponizing well-known vulnerabilities, especially in Microsoft products, to infiltrate targets for its malicious activities, primarily centered around intelligence gathering but not restricted to it. The notorious russia-linked state-sponsored group has been persistently targeting Ukraine and its allies since russia’s full-scale invasion, as in the phishing campaign at the end of 2023 against Ukrainian public sector entities and several organizations in Poland reported by CERT-UA. 

In the ongoing long-lasting campaign, adversaries have been targeting public and private sector organizations in Ukraine, Western Europe, and North America. Applying GooseEgg enables threat actors to gain elevated access to targeted systems, steal sensitive data, and further proceed with the attack development, leading to RCE, backdoor deployment, and lateral movement within the impacted networks. 

Forest Blizzard is lazer-focused on strategic intelligence objectives, which distinguishes it from other GRU-affiliated groups, such as Seashell Blizzard (IRIDIUM) and Cadet Blizzard (DEV-0586). While russia-linked hackling groups have weaponized vulnerabilities known as PrintNightmare (CVE-2021-34527 and CVE-2021-1675), the disclosure of GooseEgg in Forest Blizzard’s offensive toolkit requires attention and ultra-responsiveness from the defenders on a cyber frontline.

Commonly, GooseEgg is deployed along with a batch script that triggers the corresponding GooseEgg executable and establishes persistence by creating a scheduled task. The GooseEgg binary facilitates commands to activate the Windows Print Spooler bug exploitation and trigger either a DLL or an executable with elevated privileges. Additionally, it confirms the successful activation of the exploit by utilizing the “whoami” command.

Microsoft addressed CVE-2022-38028 in the related security update published in October 2022, with credit given to the U.S. NSA for originally reporting the flaw. As other potential CVE-2022-38028 mitigation steps, researchers recommend deactivating the service on domain controllers and adopting proactive cyber defense strategies to minimize the risks of adversary intrusions.

With the increasing attacks linked to the russia-backed Forest Blizzard aka Fancy Bear group targeting global organizations, specifically the latest ongoing activity that employs the custom GooseEgg malware, security teams are striving to strengthen their defenses at scale. By taking advantage of Attack Detective, the advanced SaaS for Automated Threat Hunting & Detection Stack Validation, organizations can effectively identify blind spots in their detection coverage, gain real-time attack surface visibility, and find breaches before adversaries have a chance to strike.