Data exfiltration and privilege escalation attacks leveraging the novel GooseEgg hacking tool to exploit an already addressed Windows Print Spooler flaw, tracked as CVE-2022-38028, have been deployed by Russian cyberespionage operation APT28, also known as Forest Blizzard, against government, education, transportation, and non-government organizations since April 2019, BleepingComputer reports.
Hacked systems have been injected with one of two Windows batch scripts to facilitate the execution of the GooseEgg executable before creating a scheduled task to ensure persistence, with the hacking tool later used to enable the deployment of a malicious DLL, a report from the Microsoft Threat Intelligence team revealed. Execution of the DLL then allows additional backdoor distribution, lateral network movement, and remote code execution, researchers added.
Such a development comes months after a joint global cybersecurity advisory warned about APT28's exploitation of compromised Ubiquiti EdgeRouter appliances in stealthy attacks. Organizations in the U.S. and UK also had their data compromised by the threat operation in Jaguar Tooth malware attacks facilitated by the exploitation of a Cisco router zero-day last year, according to U.S. and UK intelligence.