IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

New FamousSparrow hacking group caught targeting hotels

Microsoft Exchange ProxyLogon flaw used in attacks

Security researchers have revealed that a new hacking group dubbed FamousSparrow has been attacking hotels worldwide since 2019. The cyber criminals have also targeted law firms, governments, and private companies.

Security researchers at Eset said the group deals in cyber espionage and telemetry data and used the Microsoft Exchange vulnerabilities known as ProxyLogon. This is a remote code execution vulnerability used by more than 10 APT groups to take over Exchange mail servers worldwide. 

The group has used the flaw since March 3, only a day after Microsoft released security patches for them.

The APT group has targeted victims from Brazil, Burkina Faso, South Africa, Canada, Israel, France, Guatemala, Lithuania, Saudi Arabia, Taiwan, Thailand, and the UK.

The gang uses a  custom backdoor, dubbed SparrowDoor in its attacks, and two custom versions of Mimikatz. Researchers also discovered a link between FamousSparrow and other APT groups, such as SparklingGoblin and the DRBControl group.

In a few cases, the researchers found the initial compromise vector used by FamousSparrow and systems compromised through vulnerable internet-facing web applications.

“We believe FamousSparrow exploited known remote code execution vulnerabilities in Microsoft Exchange (including ProxyLogon in March 2021), Microsoft SharePoint and Oracle Opera (business software for hotel management), which were used to drop various malicious samples,” the researchers added.

Related Resource

Optimising performance with frequent server replacements for enterprises

Learn more about Dell Technologies solutions powered by Intel®

Servers with three portraits of the whitepaper authors aboveFree download

Once a server is compromised, hackers deploy customer tools, such as a Mimikatz variant, a small utility that drops ProcDump on disk and uses it to dump the lsass process, Nbtscan, a NetBIOS scanner, and a loader for the SparrowDoor backdoor.

The SparrowDoor backdoor is initially loaded via DLL search order hijacking. This then makes a connection to the hackers’ C2 for data exfiltration. The backdoor can also create directories, read and write files, and exfiltrate data.  There is also a kill switch that gives the backdoor the privilege to uninstall or restart SparrowDoor. 

“FamousSparrow is yet another APT group that had access to the ProxyLogon remote code execution vulnerability early in March 2021. It has a history of leveraging known vulnerabilities in server applications such as SharePoint and Oracle Opera,” said researchers. “This is another reminder that it is critical to patch internet-facing applications quickly, or, if quick patching is not possible, to not expose them to the internet at all.”

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads
Microsoft Windows

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads

20 Jun 2022
IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated
Business strategy

IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated

17 Jun 2022
Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive
ransomware

Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive

17 Jun 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022
Swift exit: How the world cut off Russian banks
finance

Swift exit: How the world cut off Russian banks

24 Jun 2022