Catch the GooseEgg: Microsoft Exposes Russian Spies Targeting Networks with Print Spooler Flaw

Beware the GooseEgg! Russian spies are cracking networks wide open with a crafty tool, exploiting a creaky Windows print spooler flaw. Microsoft’s on the case, but it’s time to patch up or risk a cyber scramble! 🥚💻🕵️‍♂️ #GooseEggMalware

Hot Take:

Oh, you thought the print spooler saga was over? Think again! The Russian spies from Fancy Bear are back at it, treating the Windows print spooler vulnerability like an all-you-can-eat buffet for their malware GooseEgg. Microsoft’s digital sleuths have the scoop, and we’re here for the cyber espionage drama – with a side of patching urgency and a sprinkle of “I told you so.”

Key Points:

  • Russian cyber espionage group Fancy Bear is exploiting a Windows print spooler vulnerability with a tool called GooseEgg.
  • Microsoft Threat Intelligence has been tracking the activity since at least June 2020.
  • The GooseEgg malware allows attackers to gain SYSTEM-level access and steal credentials.
  • Microsoft issued a patch for the CVE-2022-38028 vulnerability in October 2022 and recommends disabling print spooler on domain controllers.
  • The same group was previously involved in infecting routers with Moobot malware.
Title: Windows Print Spooler Elevation of Privilege Vulnerability
Cve id: CVE-2022-38028
Cve state: PUBLISHED
Cve assigner short name: microsoft
Cve date updated: 12/20/2023
Cve description: Windows Print Spooler Elevation of Privilege Vulnerability

Title: Windows Print Spooler Elevation of Privilege Vulnerability
Cve id: CVE-2022-38028
Cve state: PUBLISHED
Cve assigner short name: microsoft
Cve date updated: 12/20/2023
Cve description: Windows Print Spooler Elevation of Privilege Vulnerability

Need to know more?

Print Spoiler Alert!

It's like the plot of a spy thriller, except it's actually happening in the digital world. Forest Blizzard, which might sound like a fancy ice cream flavor, but is actually an alias for Fancy Bear, has been busy not hibernating but creating a custom tool to exploit old Windows vulnerabilities. Microsoft's threat hunters have been on their proverbial tails, uncovering their sneaky use of GooseEgg to scramble networks and poach credentials.

The Goose That Lays the Malicious Eggs

Imagine a goose that instead of laying golden eggs, lays eggs filled with malware. That's GooseEgg for you – Fancy Bear's custom tool that has been exploiting our dear friend, the Windows Print Spooler service. This GooseEgg isn't something you'd want to find in your Easter basket, as it's been used to modify a JavaScript constraints file and execute it with SYSTEM-level permissions. And this has been happening since as early as 2019. Talk about a long game!

Botnet Blues

The same Russian crew had their fingers in the botnet pie, infecting home and small business routers with the Moobot malware. But just like a game of whack-a-mole, knock one down, and they're bound to pop up somewhere else. After the FBI and friends took down their botnet, they likely went back to the drawing board, ready to craft another digital Frankenstein.

World Tour of Espionage

These Kremlin-backed spies aren't just targeting their own backyard. No, they've got aspirations, hitting Ukrainian, Western European, and North American targets across various sectors. Microsoft's international game of cyber cat-and-mouse continues, as they've patched up the print spooler bug and are advising everyone to do the same. Procrastinators, this is your wake-up call!

The Spooler's Spoilers

For those out of the loop, Microsoft patched this particular print spooler bug back in October 2022. But if your idea of fun doesn't include updating your systems, well, Fancy Bear might just take a fancy to your network. And if you're wondering what a GooseEgg executable looks like, it's the one with "wayzgoose" in its name, ready to party with SYSTEM-level permissions. So, update your systems, or risk being the goose that gets cooked.

Avoiding the Nesting Goose

Let's be real, the print spooler on domain controllers is about as necessary as a chocolate teapot. Microsoft's hot tip? Disable it, because you really, really don't need it for domain controller operations. And if you're hungry for more, Microsoft has served up a full list of threat hunting queries and indicators of compromise. So feast your eyes, update your systems, and let's keep those Fancy Bears on a cyber diet.

Tags: CVE-2022-38028, Forest Blizzard, GooseEgg malware, Microsoft Threat Intelligence, PrintNightmare Patch, Russian GRU espionage, Windows Print Spooler Vulnerability