Microsoft warns that Russian hackers target Windows Print Spooler

Reading time icon 2 min. read


Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

Key notes

  • Russian hackers use new tool (GooseEgg) to exploit old Windows Print Spooler vulnerability.
  • GooseEgg steals credentials and gives high-level access to attackers.
  • Patch your system (updates from Oct 2022 & June/July 2021) and consider disabling Print Spooler on domain controllers.

Microsoft has issued a warning about a new tool used by a Russia-linked hacking group to exploit a vulnerability in Windows Print Spooler software. There has been a history between Russian hackers and Microsoft with this and this.

The hacking group, known as Forest Blizzard (also referred to as APT28, Sednit, Sofacy, and Fancy Bear), has been targeting government, energy, transportation, and non-governmental organizations (NGOs) for intelligence-gathering purposes. Microsoft believes Forest Blizzard is linked to Russia’s GRU intelligence agency.

The new tool, called GooseEgg, exploits a vulnerability in the Windows Print Spooler service (CVE-2022-38028) to gain privileged access to compromised systems and steal credentials. The vulnerability allows GooseEgg to modify a JavaScript file and then execute it with high permissions.

The Windows Print Spooler service acts as a middleman between your applications and your printer. It’s a software program running in the background that manages print jobs. It keeps things running smoothly between your programs and your printer.

Microsoft recommends that organizations take several steps to protect themselves, 

  • Apply security updates for CVE-2022-38028 (October 11, 2022) and previous Print Spooler vulnerabilities (June 8 & July 1, 2021).
  • Consider disabling Print Spooler service on domain controllers (not required for operation).
  • Implement credential hardening recommendations.
  • Use Endpoint Detection and Response (EDR) with blocking capabilities.
  • Enable cloud-delivered protection for antivirus software.
  • Utilize Microsoft Defender XDR attack surface reduction rules.

Microsoft Defender Antivirus detects GooseEgg as HackTool:Win64/GooseEgg. Microsoft Defender for Endpoint and Microsoft Defender XDR can also identify suspicious activity related to GooseEgg deployments.

By staying informed about these threats and implementing the recommended security measures, organizations can help protect themselves from attacks by Forest Blizzard and other malicious actors.

More here.

Leave a Reply

Your email address will not be published. Required fields are marked *