A sophisticated advanced persistent threat (APT) has been identified as the perpetrator behind a series of global cyberattacks targeting hotels, various governmental entities, international organizations, engineering firms, and law offices. This campaign has come to the attention of cybersecurity experts worldwide.
The Slovak cybersecurity firm ESET has attributed these attacks to a group it has dubbed FamousSparrow. Active since at least August 2019, this group has impacted victims across multiple continents, including regions in Africa, Asia, Europe, the Middle East, and the Americas, with notable cases in countries such as Burkina Faso, Taiwan, France, Lithuania, the U.K., Israel, Saudi Arabia, Brazil, Canada, and Guatemala.
The tactics employed by FamousSparrow reveal a focused strategy of exploiting known vulnerabilities in server applications, particularly SharePoint and Oracle Opera. Of particular note is their utilization of the ProxyLogon remote code execution vulnerability affecting Microsoft Exchange Server, disclosed in March 2021. This positions FamousSparrow as one of the latest threat actors to exploit this weakness prior to public awareness.
Intrusions attributed to this group began on March 3, leading to the deployment of various malicious payloads, including tailored versions of the credential theft tool Mimikatz, a NetBIOS scanner known as Nbtscan, and a custom implant dubbed SparrowDoor. These deployments suggest a sophisticated understanding of network architecture and security weaknesses.
The installation of SparrowDoor utilizes DLL search order hijacking, enabling attackers to navigate deeper into the compromised internal networks. This technique allows them to execute arbitrary commands and gather sensitive data, which is subsequently exfiltrated to a remote command-and-control (C2) server controlled by the attackers.
While ESET refrained from directly associating FamousSparrow with a specific nation, they noted parallels between the group’s tactics and those of SparklingGoblin, affiliated with the China-linked Winnti Group, and DRBControl, both of which have shown overlap with previously identified malware associated with Winnti and the Emissary Panda group.
The increased frequency and sophistication of these attacks underline the necessity for organizations to promptly address vulnerabilities in publicly facing applications. ESET researchers emphasized, “It is critical to patch internet-facing applications swiftly; if rapid patching is unfeasible, exposure to the internet should be minimized.” Business owners are urged to remain vigilant and proactive in their cybersecurity measures to mitigate risks associated with ever-evolving threats.
