New warning over Russian APT28 threat group

An Apex Legends event was postponed by organizers after two players appeared to be hacked and given unwanted cheat devices. — © AFP/File Denis Charlet

Microsoft has warned users of its systems that the Russian APT28 threat group is exploiting a Windows Print Spooler vulnerability to escalate privileges and steal credentials and data using a previously unknown hacking tool called GooseEgg.

The attackers seek to drop malicious code as a Windows batch script named ‘execute.bat’ or ‘doit.bat,’ which launches a GooseEgg executable and gains persistence on the compromised system.

In recent months, APT28 has been linked to multiple ongoing phishing campaigns that employ lure documents imitating government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America.

Looking into this matter for Digital Journal is Howard Goodman, Technical Director at Skybox Security.

Goodman begins by providing background context about the warning from the tech giant: “In its latest security advisory, Microsoft revealed that the Russian threat group APT28, also known as Fancy Bear, has exploited a critical vulnerability in the Windows Print Spooler.”

With regards to the hacker group, Goodman states: “This group, notorious for sophisticated cyber-attacks on governmental and non-governmental organizations, as well as critical infrastructure worldwide, has utilized the CVE-2022-38028 vulnerability to escalate privileges and illicitly access sensitive data. This breach highlights the ongoing risk posed by cyber adversaries who exploit common software vulnerabilities to conduct espionage and data theft.”

In terms of the significance of the alert from Microsoft, Goodman considers: “This development serves as a crucial reminder of the need for organizations to proactively strengthen their cyber defences.”

The warning connects with an appropriate strategy to counteract these types of threats. Goodman conceptualises this as: “An emerging strategy in cybersecurity, Continuous Exposure Management (CEM), offers a comprehensive approach by integrating security policy management, attack surface management, vulnerability management, and remediation automation.”

Furthermore, the analyst says: “By continuously assessing, prioritizing, and mitigating threats, CEM enables organizations to effectively respond to vulnerabilities and minimize the risks of data breaches and system compromises.”

This type of approach adds up to an overall defensive strategy of maintaining vigilance against global security threats. This leads Goodman to comment: “The sophistication of threat groups like APT28 necessitates that organizations maintain vigilance and adapt their security strategies to effectively counteract evolving cyber threats.”

Based on this, Goodman concludes: “By implementing proactive measures such as CEM, organizations can enhance their resilience against sophisticated cyber adversaries and safeguard their critical data and systems.”