Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Microsoft says Russian hackers are exploiting an ancient printer security flaw

Russia.

Russian state-sponsored threat actors have been observed abusing an old printer vulnerability to drop custom malware on target endpoints.

The malware helped them exfiltrate sensitive data and login credentials, a report from Microsoft Threat Intelligence has claimed.

As per the report, since mid-2019, a group known as Fancy Bear has been abusing a print spooler elevation of privilege bug found in Windows printers. The vulnerability, tracked as CVE-2022-38028, was discovered in 2022, and patched in October the same year.

The fall of Moobot

However, even after the release of the fix, Fancy Bear targeted unpatched endpoints in government, non-government, education, and transportation firms, located in Ukraine, Western European, and North American countries.

Once found, the devices would be infected with a custom-built malware called GooseEgg, which granted the attackers elevated privileges, and the ability to steal credentials across compromised systems. 

Given that the patch has been available for almost two years now, it’s the best and easiest way to protect the endpoints from Russian spies.

Fancy Bear is probably Russia’s most popular threat actor. Some researchers have linked it to the GRU - the Russian General Staff Main Intelligence Directorate - the foreign military intelligence agency of the General Staff of the Armed Forces of the Russian Federation.

In mid-February this year, US law enforcement agents successfully shut down a malicious Fancy Bear botnet. At the time, the U.S. Department of Justice (DoJ) said its agents conducted a “court-authorized operation” that has neutralized a network of “hundreds of small office/home office (SOHO) routers”.

As explained by the DoJ, most of the Ubiquiti Edge OS routers used in the botnet were previously infected by malware called Moobot, which was developed by a private hacking group. This group targeted routers with factory settings and otherwise easy-to-guess passwords to install the malware. Then, APT 28 (as they call Fancy Bear) swooped in and took over the malware, turning the infected devices into a “global cyber espionage platform.”

Via The Register

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.