Critical Windows Bug Utilized in “GooseEgg” Attacks

Over the past few years, security experts have observed an intensification of cyberattacks on organizations in Eastern and Western Europe, as well as North America. The perpetrators are hackers from the group known as APT29, who actively exploit vulnerabilities in security systems.

Researchers from Microsoft have identified the use of a new type of malicious software by the group, dubbed GooseEgg, which exploits a bug in the Windows Print Spooler component that was officially patched in October 2022.

The vulnerability, known as CVE-2022-38028 and rated 7.8 on the CVSS scale, allows for elevated system privileges. With the GooseEgg malware, attackers initiate programs with heightened permissions, facilitating the further dissemination of malicious software and the installation of backdoors.

Volt Typhoon group

According to experts, APT29’s actions are often aimed at gathering intelligence data. Although GooseEgg is merely a simple launcher application, it supports various commands for activating vulnerabilities and executing malicious code.

It has also been noted recently that this group utilizes vulnerabilities in Microsoft Outlook and WinRAR for privilege escalation and code execution, highlighting their ability to swiftly integrate public exploits into their operations.

To defend against APT29 attacks, Microsoft experts recommend patching the Print Spooler vulnerability if it has not been addressed since the fix was issued, and actively enhancing protective mechanisms within organizations.