Microsoft says Russian hackers are exploiting an ancient printer security flaw

Et bilde av et tastatur der Enter-knappen har påmalt et russisk flagg, med en liten gullbjørn stående på tasten. (Image credit: Shutterstock / Aleksandra Gigowska)

Russian state-sponsored threat actors have been observed abusing an old printer vulnerability to drop custom malware on target endpoints.

The malware helped them exfiltrate sensitive data and login credentials, a report from Microsoft Threat Intelligence has claimed.

As per the report, since mid-2019, a group known as Fancy Bear has been abusing a print spooler elevation of privilege bug found in Windows printers. The vulnerability, tracked as CVE-2022-38028, was discovered in 2022, and patched in October the same year.

The fall of Moobot

However, even after the release of the fix, Fancy Bear targeted unpatched endpoints in government, non-government, education, and transportation firms, located in Ukraine, Western European, and North American countries.

Once found, the devices would be infected with a custom-built malware called GooseEgg, which granted the attackers elevated privileges, and the ability to steal credentials across compromised systems. 

Given that the patch has been available for almost two years now, it’s the best and easiest way to protect the endpoints from Russian spies.

Fancy Bear is probably Russia’s most popular threat actor. Some researchers have linked it to the GRU - the Russian General Staff Main Intelligence Directorate - the foreign military intelligence agency of the General Staff of the Armed Forces of the Russian Federation.

In mid-February this year, US law enforcement agents successfully shut down a malicious Fancy Bear botnet. At the time, the U.S. Department of Justice (DoJ) said its agents conducted a “court-authorized operation” that has neutralized a network of “hundreds of small office/home office (SOHO) routers”.

As explained by the DoJ, most of the Ubiquiti Edge OS routers used in the botnet were previously infected by malware called Moobot, which was developed by a private hacking group. This group targeted routers with factory settings and otherwise easy-to-guess passwords to install the malware. Then, APT 28 (as they call Fancy Bear) swooped in and took over the malware, turning the infected devices into a “global cyber espionage platform.”

Via The Register

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.