Windows Vulnerability Reported by the NSA Exploited to Install Russian Malware
Freeman writes:
Kremlin-backed hackers have been exploiting a critical Microsoft vulnerability for four years in attacks that targeted a vast array of organizations with a previously undocumented tool, the software maker disclosed Monday.
When Microsoft patched the vulnerability in October 2022-at least two years after it came under attack by the Russian hackers-the company made no mention that it was under active exploitation. As of publication, the company's advisory still made no mention of the in-the-wild targeting.
[...] On Monday, Microsoft revealed that a hacking group tracked under the name Forest Blizzard has been exploiting CVE-2022-38028 since at least June 2020-and possibly as early as April 2019. The threat group-which is also tracked under names including APT28, Sednit, Sofacy, GRU Unit 26165, and Fancy Bear-has been linked by the US and the UK governments to Unit 26165 of the Main Intelligence Directorate, a Russian military intelligence arm better known as the GRU.
Since as early as April 2019, Forest Blizzard has been exploiting CVE-2022-38028 in attacks that, once system privileges are acquired, use a previously undocumented tool that Microsoft calls GooseEgg. The post-exploitation malware elevates privileges within a compromised system and goes on to provide a simple interface for installing additional pieces of malware that also run with system privileges. This additional malware, which includes credential stealers and tools for moving laterally through a compromised network, can be customized for each target.
[...] People administering Windows machines should ensure that the fix for CVE-2022-38028 has been installed, as well as the fix for CVE-2021-34527, the tracking designation for a previous critical zero-day that came under mass attack in 2021.
Read more of this story at SoylentNews.