Microsoft has warned that threat actors have once again exploited a Windows Print Spooler vulnerability, which allows them to escalate privileges and steal data and credentials.
The threat actors are APT28, military hackers from Russia’s Military Unit 26165 of Russia’s Man Intelligence directorate.
They are also known as Forest Blizzard or STRONTIUM.
APT28 used a tool called GooseEgg to exploit the vulnerability. Microsoft believes the treat actor has been using GooseEgg as early as April 2019.
“Microsoft has observed that, after obtaining access to a target device, Forest Blizzard uses GooseEgg to elevate privileges within the environment,” Microsoft said.
The security flaw is in the Windows Print Spooler service, which runs by default on many current versions of the operating system.
If successfully exploited, the vulnerability could run arbitrary code with System-level privileges.
APT28 achieves this using GooseEgg, which Microsft reported is being dropped as a Windows batch script named ‘execute.bat’ or ‘doit.bat’ and then launched as a GooseEgg executable.
The tool then persists in attacking the system by launching a second batch script written to the disk called ‘servtask.bat’.
GooseEgg also drops a malicious dynamic link libraries (DLL) file in the context of the Print Spooler service with SYSTEM-level permissions.
This DLL file, often found using ‘wayzgoose’ in its name, is an app launcher that executes payloads using these SYSTEM-level permissions.
This is not the first time a print spooler vulnerability has been exploited in Windows.
Microsoft was alerted to the “PrintNightmare” vulnerability, as the cybersecurity community called it, in July 2021.
This allowed attackers to “install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said.
It also revealed that Russian threat actors had previously exploited PrintNightmare.
Microsoft patched the issue several weeks after researchers discovered it and published a proof-of-concept exploit online.