This analysis of #APT28 aka #ForestBlizzard methodology is being reported all over as though it were special. And while it may be "unique" to the group, it's just...not that special.

Everything I see here should be detected by modern standard defenses. This attack chain doesn't even read like an APT to me; it reads like a cybercrime group.

What am I missing?
Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials | Microsoft Security Blog

Since 2019, Forest Blizzard has used a custom post-compromise tool to exploit a vulnerability in the Windows Print Spooler service that allows elevated permissions. Microsoft has issued a security update addressing this vulnerability as CVE-2022-38028.

Microsoft Security Blog

@mttaggart I think one of the key takeaways is that APT28, a Russian state actor publicly attributed to GRU Military Unit 26165, exploited CVE-2022-38028 as a zero-day for 2 years before it was publicly disclosed and patched:

Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.

Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)

A January 2024 court-authorized operation has neutralized a network of hundreds of small office/home office (SOHO) routers that GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, used to conceal and otherwise enable a variety of crimes. These crimes included vast spearphishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations. In recent months, allegations of Unit 26165 activity of this type has been the subject of a private sector cybersecurity advisory and a Ukrainian government warning.

@simontsui That's a good takeaway, but that is not exactly the context of some of the reporting I'm seeing.

But yes, the backdating of exploitation (which MS has yet to acknowledge in the CVE?) is important.

@mttaggart Another interesting point is that CVE-2022-38028 was originally reported to Microsoft by the National Security Agency, as Bleeping Computer mentioned: https://www.bleepingcomputer.com/news/security/microsoft-apt28-hackers-exploit-windows-flaw-reported-by-nsa/

Since it was not disclosed as exploited at the time, we might infer that NSA didn't observe exploitation in the wild by a foreign adversary like APT28 back in 2022. So how did NSA come across CVE-2022-38028? 🤔 I hope I don't have to explicitly say it.

Microsoft: APT28 hackers exploit Windows flaw reported by NSA

​Microsoft warns that the Russian APT28 threat group exploits a Windows Print Spooler vulnerability to escalate privileges and steal credentials and data using a previously unknown hacking tool called GooseEgg.

BleepingComputer