New FamousSparrow hacking group caught targeting hotels

Microsoft Exchange ProxyLogon flaw used in attacks

Security researchers have revealed that a new hacking group dubbed FamousSparrow has been attacking hotels worldwide since 2019. The cyber criminals have also targeted law firms, governments, and private companies.

Security researchers at Eset said the group deals in cyber espionage and telemetry data and used the Microsoft Exchange vulnerabilities known as ProxyLogon. This is a remote code execution vulnerability used by more than 10 APT groups to take over Exchange mail servers worldwide. 

The group has used the flaw since March 3, only a day after Microsoft released security patches for them.

The APT group has targeted victims from Brazil, Burkina Faso, South Africa, Canada, Israel, France, Guatemala, Lithuania, Saudi Arabia, Taiwan, Thailand, and the UK.

The gang uses a  custom backdoor, dubbed SparrowDoor in its attacks, and two custom versions of Mimikatz. Researchers also discovered a link between FamousSparrow and other APT groups, such as SparklingGoblin and the DRBControl group.

In a few cases, the researchers found the initial compromise vector used by FamousSparrow and systems compromised through vulnerable internet-facing web applications.

“We believe FamousSparrow exploited known remote code execution vulnerabilities in Microsoft Exchange (including ProxyLogon in March 2021), Microsoft SharePoint and Oracle Opera (business software for hotel management), which were used to drop various malicious samples,” the researchers added.

Related Resource

Optimising performance with frequent server replacements for enterprises

Learn more about Dell Technologies solutions powered by Intel®

Servers with three portraits of the whitepaper authors aboveFree download

Once a server is compromised, hackers deploy customer tools, such as a Mimikatz variant, a small utility that drops ProcDump on disk and uses it to dump the lsass process, Nbtscan, a NetBIOS scanner, and a loader for the SparrowDoor backdoor.

The SparrowDoor backdoor is initially loaded via DLL search order hijacking. This then makes a connection to the hackers’ C2 for data exfiltration. The backdoor can also create directories, read and write files, and exfiltrate data.  There is also a kill switch that gives the backdoor the privilege to uninstall or restart SparrowDoor. 

“FamousSparrow is yet another APT group that had access to the ProxyLogon remote code execution vulnerability early in March 2021. It has a history of leveraging known vulnerabilities in server applications such as SharePoint and Oracle Opera,” said researchers. “This is another reminder that it is critical to patch internet-facing applications quickly, or, if quick patching is not possible, to not expose them to the internet at all.”

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Recommended

Microsoft launches platform to help firms monitor carbon emissions
cloud computing

Microsoft launches platform to help firms monitor carbon emissions

27 Oct 2021
Google and Microsoft smash estimates on strong cloud growth
Cloud

Google and Microsoft smash estimates on strong cloud growth

27 Oct 2021
Microsoft resellers warned of Nobelium attacks on IT supply chain
cyber attacks

Microsoft resellers warned of Nobelium attacks on IT supply chain

25 Oct 2021
AMD and Microsoft fix Ryzen performance in Windows 11
Hardware

AMD and Microsoft fix Ryzen performance in Windows 11

22 Oct 2021

Most Popular

UK spy agencies supercharge espionage efforts with AWS data deal
cloud computing

UK spy agencies supercharge espionage efforts with AWS data deal

26 Oct 2021
Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021