Forest Blizzard Uses GooseEgg to Breach Western Cyber Defenses

Forest Blizzard, identified as a Russian cyber threat group associated with military intelligence (GRU), has been actively involved in espionage activities targeting a wide range of sectors including government, energy, transportation, media, and educational institutions across the United States, Europe, and the Middle East. Recognized by names such as APT28, Fancy Bear, and Strontium, this group has been operational since at least 2010, focusing on intelligence collection to support Russian foreign policy initiatives. Newly observed intelligence from the Microsoft Threat Intelligence team reveals the use of a tool dubbed "GooseEgg," first utilized in June 2020 for post-exploitation tasks.

"Microsoft Threat Intelligence assesses Forest Blizzard’s objective in deploying GooseEgg is to gain elevated access to target systems and steal credentials and information," reports Microsoft. GooseEgg is used in conjunction with exploits including CVE-2022-38028, a vulnerability in the Windows Print Spooler service. Another exploited vulnerability is the Microsoft Office Outlook privilege escalation issue, CVE-2023-23397. Forest Blizzard utilizes the GooseEgg tool to enable the execution of commands and scripts with SYSTEM-level permissions, facilitating various malicious activities such as credential theft, remote code execution, and lateral movement within compromised networks. Microsoft's analysis details that GooseEgg is typically deployed via a batch script, enhancing persistence through scheduled tasks for batch scripts, modifying and saving registry keys, and using custom protocols and directory manipulation to conceal malicious activities. The group uses GooseEgg to modify JavaScript files and registry settings to redirect system processes to attacker-controlled directories. These techniques allow the group to execute further payloads covertly, maintaining access to the compromised systems and performing data exfiltration.

For organizations looking to defend against such threats, Microsoft recommends applying security updates for known vulnerabilities, such as CVE-2022-38028, and disabling unnecessary services like the Print Spooler on domain controllers. The urgency of timely patching is underscored by alerts from Poland's Cyber Command, which has warned organizations about Forest Blizzard's exploitation of CVE-2023-23397. Additionally, firms such as Google TAG and Trend Micro have associated this group with exploiting the WinRAR vulnerability, CVE-2023-38831.