Recently, researchers at an internet security company named ESET discovered new cyber-espionage and advanced persistent threat group FamousSparrow. Although the group also targets governments, international organizations, and private businesses around the globe, it primarily targets hotels. The attackers have obtained data from targets worldwide with the help of its custom backdoor called SparrowDoor. According to Matthieu Faou, a fellow ESET researcher, the main motive of this advanced persistent threat group is espionage.
Exploiting the Vulnerabilities in Internet-Facing Apps
The analysts claim that the group has been active since 2019, targeting a business group in Africa. Nevertheless, they first noticed the activities of FamousSparrow earlier this year, on March 3. They observed that the group was exploiting known remote code execution vulnerabilities in internet-facing applications. Among the flaws leveraged by FamousSparrow are bugs in Microsoft Exchange known as ProxyLogon, SharePoint, and Oracle Opera.
The attackers deploy different custom tools when they get successful in compromising the server. It includes a variant of Mimikakz, Nbtscan, and a small utility that drops ProcDump on disk. Besides that, the under-discussion advanced persistent threat group also drops a loader for their SparrowDoor backdoor. For the record, it is a tool that is unique to them.
The backdoor enables attackers to gain complete control over the compromised devices. In addition, it can read and write files, create directories, and exfiltrate data. Apart from that, the backdoor also gets the privilege with a kill switch to restart or uninstall SparrowDoor. According to ESET researcher Matthieu Faou, the deployment of SparrowDoor and server-side vulnerabilities is the main trait of this advanced persistent threat group.
Why Targeting Hotels?
According to researcher Faou, hotels are interesting since they allow cyber-espionage groups to track the travel habits of their targets. Moreover, by infiltrating the network of the hotels, attackers could potentially spy on the network traffic of people. He added that whereas the group compromised plenty of hotels, FamousSparrow has also breached various governments, engineering companies, international organizations, and law firms.
The advanced persistent threat group called FamousSparrow has targeted victims across the globe. It includes Europe (France, Lithuania, UK), the Middle East (Saudi Arabia, Israel), Asia (Taiwan), America (Canada, Brazil, Guatemala), and Africa (Burkina Faso).
Is FamousSparrow an Already Existing or New Advanced Persistent Threat Group?
ESET researchers have not established the link between FamousSparrow and another threat group. However, it does not automatically mean this advanced persistent threat group has emerged recently. Indeed, one can only make speculations in this regard.
One possibility is that the group is a known one with connections to other APT groups, like DRBControl and SparklingGoblin. Also, it has evolved with its new tools. On the contrary, one can contend that it is one of the groups that has successfully remained undetected for years.
The presence of advanced persistent threat groups like FamousSparrow within cyberspace is a troubling phenomenon. Essentially, it warns how critical it is to patch internet-facing apps as quickly as possible. Suppose rapid patching is impossible. In that case, organizations are encouraged not to expose the applications to the Internet. At the same time, you are free to consult LIFARS to develop mitigating capabilities on evolving cybersecurity threats. We offer strategic and tactical advice to ramp up your organizational security maturity level.