Security researchers have revealed that a new hacking group dubbed FamousSparrow has been attacking hotels worldwide since 2019. The cyber criminals have also targeted law firms, governments, and private companies.
Security researchers at Eset said the group deals in cyber espionage and telemetry data and used the Microsoft Exchange vulnerabilities known as ProxyLogon. This is a remote code execution vulnerability used by more than 10 APT groups to take over Exchange mail servers worldwide.
The group has used the flaw since March 3, only a day after Microsoft released security patches for them.
The APT group has targeted victims from Brazil, Burkina Faso, South Africa, Canada, Israel, France, Guatemala, Lithuania, Saudi Arabia, Taiwan, Thailand, and the UK.
The gang uses a custom backdoor, dubbed SparrowDoor in its attacks, and two custom versions of Mimikatz. Researchers also discovered a link between FamousSparrow and other APT groups, such as SparklingGoblin and the DRBControl group.
In a few cases, the researchers found the initial compromise vector used by FamousSparrow and systems compromised through vulnerable internet-facing web applications.
“We believe FamousSparrow exploited known remote code execution vulnerabilities in Microsoft Exchange (including ProxyLogon in March 2021), Microsoft SharePoint and Oracle Opera (business software for hotel management), which were used to drop various malicious samples,” the researchers added.
Optimising performance with frequent server replacements for enterprises
Learn more about Dell Technologies solutions powered by Intel®
Once a server is compromised, hackers deploy customer tools, such as a Mimikatz variant, a small utility that drops ProcDump on disk and uses it to dump the lsass process, Nbtscan, a NetBIOS scanner, and a loader for the SparrowDoor backdoor.
The SparrowDoor backdoor is initially loaded via DLL search order hijacking. This then makes a connection to the hackers’ C2 for data exfiltration. The backdoor can also create directories, read and write files, and exfiltrate data. There is also a kill switch that gives the backdoor the privilege to uninstall or restart SparrowDoor.
“FamousSparrow is yet another APT group that had access to the ProxyLogon remote code execution vulnerability early in March 2021. It has a history of leveraging known vulnerabilities in server applications such as SharePoint and Oracle Opera,” said researchers. “This is another reminder that it is critical to patch internet-facing applications quickly, or, if quick patching is not possible, to not expose them to the internet at all.”
