Microsoft has warned that threat actors have once again exploited a Windows Print Spooler vulnerability, which allows them to escalate privileges and steal data and credentials.<\/p>\n
The threat actors are APT28, military hackers from Russia\u2019s Military Unit 26165 of Russia\u2019s Man Intelligence directorate.<\/p>\n
They are also known as Forest Blizzard or STRONTIUM.<\/p>\n
APT28 used a tool called GooseEgg to exploit the vulnerability<\/a><\/strong>. Microsoft believes the treat actor has been using GooseEgg as early as April 2019.<\/p>\n \u201cMicrosoft has observed that, after obtaining access to a target device, Forest Blizzard uses GooseEgg to elevate privileges within the environment,\u201d Microsoft said<\/a><\/strong>.<\/p>\n The security flaw is in the Windows Print Spooler service, which runs by default on many current versions of the operating system.<\/p>\n If successfully exploited, the vulnerability could run arbitrary code with System-level privileges.<\/p>\n APT28 achieves this using GooseEgg, which Microsft reported is being dropped as a Windows batch script named \u2018execute.bat\u2019 or \u2018doit.bat\u2019 and then launched as a GooseEgg executable.<\/p>\n The tool then persists in attacking the system by launching a second batch script written to the disk called \u2018servtask.bat\u2019.<\/p>\n GooseEgg also drops a malicious dynamic link libraries (DLL) file in the context of the Print Spooler service with SYSTEM-level permissions.<\/p>\n This DLL file, often found using \u2018wayzgoose\u2019 in its name, is an app launcher that executes payloads using these SYSTEM-level permissions.<\/p>\n