A newly discovered cyber espionage group called FamousSparrow has been targeting hotels around the world since at least 2019, as well as high-profile targets such as governments, international organizations, law firms and engineering companies.
The Slovak internet security company ESET identified the hacking group (named FamousSparrow) and described it as an "advanced persistent threat".
Cyber-spies have targeted victims from all over Europe (France, Lithuania, the United Kingdom), the Middle East (Israel, Saudi Arabia), the Americas (Brazil, Canada, Guatemala), Asia (Taiwan) and Africa (Burkina Faso). extending over the last two years.
Exploits ProxyLogon are used one day after the patch
The team has used multiple web attack vectors exposed to the Internet to breach its target networks, including Microsoft SharePoint remote code vulnerabilities, Oracle Opera hotel management software, and Microsoft Exchange prox known as Microsoft Exchange security vulnerabilities.
After breaching their victims' networks, the team used custom tools such as a Mimikatz variant, a small tool designed to collect memory content (such as credentials) by rejecting the Windows LSASS process and a backdoor known as SparrowDoor used only by FamousSparrow.
The spy team also started targeting Microsoft Exchange servers that have not been fixed against ProxyLogon vulnerabilities in March 2021, a day after Microsoft fixed the bugs.
ESET also shared information about at least ten hacking groups that actively abused these bugs after joining the Microsoft Exchange attacks in March.
After scanning about 250.000 Exchange servers exposed to the Internet worldwide in March, the Dutch Vulnerability Detection Institute (DIVD) found 46.000 uninformed servers against ProxyLogon vulnerabilities.
Links to other APT groups
ESET has also found links to other known APT groups, including malware variants and related configurations - SparklingGoblin and DRBControl.
However, the researchers said, FamousSparrow is considered a separate entity that may have taken advantage of its access to compromised hotel systems for espionage purposes, including tracking specific high-profile targets.
Source of information: bleepingcomputer.com