"FamousSparrow" exploits Microsoft Exchange security holes from March 2021. Hacker group spies on governments and organizations in hotels.
A cyber espionage group that has hitherto been inconspicuous has impressively demonstrated how quickly a vulnerability that has become known can be exploited. “FamousSparrow” started its espionage attacks exactly one day after the Microsoft Exchange security holes were published (March 2021). This so-called Advanced Persistent Threat (APT) primarily attacks hotels around the world. But goals in other areas such as governments, international organizations, engineering offices and law firms are now on the agenda. The ESET researchers have examined the hacking group's approach and published it on the security blog welivesecurity.de.
Worldwide cyber espionage in progress
FamousSparrow is another APT group that had access to the ProxyLogon remote code execution vulnerability in early March 2021. In the past, the hackers exploited known vulnerabilities in server applications such as SharePoint and Oracle Opera.
In the current case, the victims are in Europe (France, Lithuania, United Kingdom), the Middle East (Israel, Saudi Arabia), North and South America (Brazil, Canada and Guatemala), Asia (Taiwan) and Africa (Burkina Faso). The choice of targets suggests that FamousSparrow is primarily engaged in cyber espionage.
APT group exploits Microsoft Exchange security holes
According to the ESET researchers, the hacking group began to exploit the vulnerabilities on March 03.03.2021rd, XNUMX, exactly one day after the patch was published. The custom backdoor SparrowDoor and two versions of Mimikatz were used. The latter is also used by the infamous Winnti Group.
“This espionage attack shows once again how important it is to close security gaps promptly. If this - for whatever reason - is not possible, the affected devices should not be connected to the Internet, ”recommends ESET researcher Mathieu Tartare, who analyzed FamousSparrow with his colleague Tahseen Bin Taj.
The FamousSparrow hacking group may not be working alone. Some traces indicate a connection to SparklingGoblin and DRBControl. In one case, the attackers used a variant of Motnug, which is a loader used by SparklingGoblin. In another case, the EXET experts found a running Metasploit with cdn.kkxx888666 [.] Com as the C&C server on a computer that had been compromised by FamousSparrow. This domain is linked to a group called DRDControl.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.