Security researchers have revealed that a new hacking group dubbed FamousSparrow has been attacking hotels worldwide since 2019. The cyber criminals have also targeted law firms, governments, and private companies.
Security researchers at Eset said the group deals in cyber espionage and telemetry data and used the Microsoft Exchange vulnerabilities known as ProxyLogon. This is a remote code execution vulnerability used by more than 10 APT groups to take over Exchange mail servers worldwide.
The group has used the flaw since March 3, only a day after Microsoft released security patches for them.
The APT group has targeted victims from Brazil, Burkina Faso, South Africa, Canada, Israel, France, Guatemala, Lithuania, Saudi Arabia, Taiwan, Thailand, and the UK.
The gang uses a custom backdoor, dubbed SparrowDoor in its attacks, and two custom versions of Mimikatz. Researchers also discovered a link between FamousSparrow and other APT groups, such as SparklingGoblin and the DRBControl group.
In a few cases, the researchers found the initial compromise vector used by FamousSparrow and systems compromised through vulnerable internet-facing web applications.
“We believe FamousSparrow exploited known remote code execution vulnerabilities in Microsoft Exchange (including ProxyLogon in March 2021), Microsoft SharePoint and Oracle Opera (business software for hotel management), which were used to drop various malicious samples,” the researchers added.
RELATED RESOURCE
Optimising performance with frequent server replacements for enterprises
Learn more about Dell Technologies solutions powered by Intel®
Once a server is compromised, hackers deploy customer tools, such as a Mimikatz variant, a small utility that drops ProcDump on disk and uses it to dump the lsass process, Nbtscan, a NetBIOS scanner, and a loader for the SparrowDoor backdoor.
The SparrowDoor backdoor is initially loaded via DLL search order hijacking. This then makes a connection to the hackers’ C2 for data exfiltration. The backdoor can also create directories, read and write files, and exfiltrate data. There is also a kill switch that gives the backdoor the privilege to uninstall or restart SparrowDoor.
“FamousSparrow is yet another APT group that had access to the ProxyLogon remote code execution vulnerability early in March 2021. It has a history of leveraging known vulnerabilities in server applications such as SharePoint and Oracle Opera,” said researchers. “This is another reminder that it is critical to patch internet-facing applications quickly, or, if quick patching is not possible, to not expose them to the internet at all.”
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
-
Nasuni targets fresh growth under revamped leadership teamNews The unified file data platform provider has announced a trio of executive hires as the firm looks to strengthen its standing in the enterprise AI era
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
