Dubai - UAE: ESET researchers have uncovered a new cyberespionage group attacking mainly hotels worldwide but also governments, international organizations, engineering companies and law firms. ESET has named this group FamousSparrow and believes it has been active since at least 2019. FamousSparrow’s victims are located in Europe (France, Lithuania, the UK), the Middle East (Israel, Saudi Arabia), the Americas (Brazil, Canada, Guatemala), Asia (Taiwan) and Africa (Burkina Faso). The targeting suggests that FamousSparrow’s intent is cyberespionage.
Reviewing telemetry data during its investigation, ESET Research discovered that FamousSparrow leveraged the Microsoft Exchange vulnerabilities known as ProxyLogon that ESET reported on in March 2021. This remote code execution vulnerability chain was used by more than 10 APT groups to take over Exchange email servers worldwide.
According to ESET telemetry, FamousSparrow started to exploit the vulnerabilities on March 3, 2021, the day following the release of the patches, meaning it is yet another APT group that had access to the details of the ProxyLogon vulnerability chain in March 2021. “This is another reminder that it is critical to patch internet-facing applications quickly, or, if quick patching is not possible, to not expose them to the internet at all,” advises Matthieu Faou, ESET researcher who uncovered FamousSparrow along with his colleague Tahseen Bin Taj.
“FamousSparrow is currently the only user of a custom backdoor that we discovered in the investigation and called SparrowDoor. The group also uses two custom versions of Mimikatz. The presence of any of these custom malicious tools could be used to connect incidents to FamousSparrow,” explains ESET researcher Tahseen Bin Taj.
Although ESET Research considers FamousSparrow to be a separate entity, there are some connections to other known APT groups. In one case, the attackers deployed a variant of Motnug, a loader used by SparklingGoblin. In another case, a machine compromised by FamousSparrow was also running Metasploit with cdn.kkxx888666[.]com as its command and control server, a domain related to a group known as DRDControl.
© Press Release 2021
Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.
The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.
To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.
