Non-Technical Summary: Microsoft has issued a warning about a Russian hacking group known as APT28. This group has been exploiting a vulnerability in Windows to gain unauthorized access to systems and steal data¹. They use a previously unknown hacking tool called GooseEgg to carry out these attacks¹. This group has been active since at least June 2020 and possibly as early as April 2019¹. They have targeted various organizations including government, non-governmental, education, and transportation sector organizations in Ukraine, Western Europe, and North America¹.

Technical Details: The APT28 group exploits a Windows Print Spooler vulnerability (CVE-2022-38028) to escalate privileges and steal credentials. They use a tool called GooseEgg to launch and deploy additional malicious payloads and run various commands with SYSTEM-level privileges – gaining network wide access.

The attackers drop this tool as a Windows batch script named ‘execute.bat’ or ‘doit.bat,’ which launches a GooseEgg executable and gains persistence on the compromised system by adding a scheduled task that launches ‘servtask.bat,’ a second batch script written to the disk.

Attackers also use GooseEgg to drop an embedded malicious DLL file (in some cases dubbed ‘wayzgoose23.dll’) in the context of the PrintSpooler service. This DLL is actually an app launcher that can execute other payloads with SYSTEM-level permissions and lets attackers deploy backdoors, move laterally through victims’ networks, and run remote code on breached systems¹.

Protecting your Systems – Next steps :

Working with a qualified technical consultant or managed IT support provider is one of the most effective ways to mitigate the risks businesses are exposed on on a daily basis. As a proactive IT provider, Euclid takes the following measures to protect all its partner organizations :

1. Software and OS Updates: Euclid Networks offers remote monitoring and maintenance software with all its monthly support plans, that ensure your software and operating systems are always up-to-date on business workstations and servers, protecting against known vulnerabilities.
2. Antivirus Software: We provide best in class antivirus and anti-malware software that can help detect and remove malicious software.
3. Two-Factor Authentication: Euclid Networks enables and periodically audits two-factor authentication for your accounts, adding an extra layer of security.
4. Email and Link Monitoring: We keep a watchful eye on your digital communications, cautioning you against any unexpected or suspicious emails or links that could be phishing attempts.

By offering these services, Euclid Networks helps to significantly reduce the risk of a successful attack on your digital systems. If you’re looking for a new IT service partner, or want to discuss your business technology systems, don’t hesitate to contact us today!