Cybersecurity company ESET has released new research on FamousSparow, a cyber espionage group targeting hotels around the world as well as governments, international organizations, engineering firms and law firms.
The FamousSparow Advanced Persistent Threat (APT) group exploits the Microsoft Exchange vulnerability known as ProxyLogon, which allows hackers to take control of Exchange servers.
Attacks began the day after patches for the ProxyLogon vulnerability were released in March 2021.
“This is another reminder that it’s important to quickly patch Internet-connected applications or, if rapid patching is not possible, not to expose them to the Internet at all,” says Matthieu Faou, ESET researcher who collaborates with his colleague FamousSparov discovered Tahseen Bin Taj.
The victims are located around the world, in Europe (France, Lithuania, UK), the Middle East (Israel, Saudi Arabia), America (Brazil, Canada, Guatemala), Asia (Taiwan) and Africa (Burkina Faso). Researchers believe the aiming suggests that FamousSparow’s intent is cyber espionage.
Although it is a separate entity, FamousSparow is believed to have ties to other well-known APT groups as well. It is believed to have been active since 2019.
“FamousSparow is currently the only user of a custom back door that we discovered during the investigation and that is called the SparrowDoor,” explains ESET researcher Tahseen Bin Taj. “The group also uses two custom versions of Mimikatz. The presence of one of these custom malicious tools could be used to link incidents to FamousSparow.”
You can learn more about the attack and how it works on the ESET blog.
Credit: Amir Kaljikovic/Shutterstock
