HomesecurityFamousSparrow Team: Spied on hotels around the world

FamousSparrow Team: Spied on hotels around the world

A newly discovered cyber espionage group called FamousSparrow has been targeting hotels around the world since at least 2019, as well as high-profile targets such as governments, international organizations, law firms and engineering companies.


See also: FBI, CISA and NSA: Escalation of Conti ransomware attacks

The Slovak internet security company ESET identified the hacking group (named FamousSparrow) and described it as an "advanced persistent threat".

Cyber-spies have targeted victims from all over Europe (France, Lithuania, the United Kingdom), the Middle East (Israel, Saudi Arabia), the Americas (Brazil, Canada, Guatemala), Asia (Taiwan) and Africa (Burkina Faso). extending over the last two years.

Exploits ProxyLogon are used one day after the patch

The team has used multiple web attack vectors exposed to the Internet to breach its target networks, including Microsoft SharePoint remote code vulnerabilities, Oracle Opera hotel management software, and Microsoft Exchange prox known as Microsoft Exchange security vulnerabilities.

See also: REVil ransomware operators deceive their partners

After breaching their victims' networks, the team used custom tools such as a Mimikatz variant, a small tool designed to collect memory content (such as credentials) by rejecting the Windows LSASS process and a backdoor known as SparrowDoor used only by FamousSparrow.

The spy team also started targeting Microsoft Exchange servers that have not been fixed against ProxyLogon vulnerabilities in March 2021, a day after Microsoft fixed the bugs.

ESET also shared information about at least ten hacking groups that actively abused these bugs after joining the Microsoft Exchange attacks in March.

According to reports from other security companies, the exploitation by the hackers started on January 3, long before the errors at Microsoft, which released the patches on March 2.

After scanning about 250.000 Exchange servers exposed to the Internet worldwide in March, the Dutch Vulnerability Detection Institute (DIVD) found 46.000 uninformed servers against ProxyLogon vulnerabilities.

See also: Marketron: The BlackMatter ransomware targeted the software provider

Links to other APT groups

ESET has also found links to other known APT groups, including malware variants and related configurations - SparklingGoblin and DRBControl.

However, the researchers said, FamousSparrow is considered a separate entity that may have taken advantage of its access to compromised hotel systems for espionage purposes, including tracking specific high-profile targets.

Source of information:

Teo Ehc
Be the limited edition.