Cyber Threat Report: 'Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials'

This blog post by researchers at Microsoft Threat Intelligence outlines activity they observed by Forest Blizzard using a tool they named 'GooseEgg' to exploit CVE-2022-38028. CVE-2022-38028 is a vulnerability in Windows Print Spooler service which was exploited with GooseEgg by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions. According to the post, the researchers observed Forest Blizzard using GooseEgg for post-compromise activity - it is a simple launcher application capable of spawning other applications with elevated permissions. Microsoft Threat Intelligence has observed Forest Blizzard using GooseEgg against government, NGO (non-government organisations), education and transport sectors. Forest Blizzard, referred to by other researchers as APT28, is identified as being linked to Russia's General Staff Main Intelligence Directorate (GRU). The provides some technical analysis of GooseEgg as well as recommendations for defending against GooseEgg attacks.