Windows vulnerability reported by the NSA exploited to install Russian malware

Kremlin-backed hackers have been exploiting a critical Microsoft vulnerability for four years in attacks that targeted a vast array of organizations with a previously undocumented tool, the software maker disclosed

#ForestBlizzard #Microsoft #Windows #russia #russian #NSA #malware #security #cybersecurity #hackers #hacking #hacked

https://arstechnica.com/security/2024/04/kremlin-backed-hackers-exploit-critical-windows-vulnerability-reported-by-the-nsa/

Good day everyone!

The Microsoft Threat Intel team has recently dropped some new #ForestBlizzard TTPs and behaviors! They take a look at the malware the group used, named GooseEgg, and reveal how it set up a scheduled task for persistence calling on a batch file named servtask.bat. Find much more information in the article, but I am not going to spoil it! Enjoy and Happy Hunting!

https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #gethunting

Microsoft reported that APT28 (Fancy Bear, Forest Blizzard) used a custom tool to elevate privileges and steal credentials in compromised networks. This GooseEgg tool leveraged CVE-2022-38028 (7.8 high, disclosed 11 October 2022 by Microsoft; Windows Print Spooler Elevation of Privilege Vulnerability) as a zero-day since at least June 2020 (possibly as early as April 2019) which was 2 years 4 months. APT28 is publicly attributed to Russian General Staff Main Intelligence Directorate (GRU). IOC provided. 🔗 https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/

cc: @serghei @campuscodi @briankrebs @jwarminsky

#APT28 #cyberespionage #Russia #FancyBear #ForestBlizzard #CVE_2022_38028 #eitw #activeexploitation #GooseEgg

#Microsoft, #OpenAI say #US rivals use artificial intelligence in hacking
Microsoft says #Russia, #China, #Iran and #NorthKorea have all used #AI to improve their abilities

From their report they say they are spying on users::
In collaboration with OpenAI, we are sharing threat intelligence showing detected state affiliated adversaries—tracked as #ForestBlizzard, #EmeraldSleet, #CrimsonSandstorm, #CharcoalTyphoon, and #SalmonTyphoon—using #LLM to augment cyberoperations.
https://www.washingtonpost.com/technology/2024/02/14/us-adversaries-using-artificial-intelligence-boost-hacking-efforts/

#FBI Dismantles #Ubiquiti Router Botnet Controlled by #Russia
“Non-GRU cybercriminals installed the Moobot malware on Ubiquiti #EdgeOS routers that still used publicly known default administrator #passwords. #GRU hackers then used the #Moobot #malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber #espionage platform,” agency said
https://www.securityweek.com/fbi-dismantles-ubiquiti-router-botnet-controlled-by-russian-cyberspies/ #ForestBlizzard #Sofacy #FancyBear #APT28

Please patch and change #defaultpasswords

Justin Warner’s (@sixdub) talk on #ForestBlizzard / #STRONTIUM / #FancyBear / #APT28. BLUEHAT IL 2023. #MYSTIC

https://youtu.be/_qdCGgQlHJE