Researchers from cybersecurity company ESET have identified an effective new group of advanced persistent threats (APTs). The hackers, dubbed FamousSparrow, would have been responsible for executing attacks around the world. His specialty is cyber espionage.
FamousSparrow is believed to have been active since at least 2019. Like other ATPs, they are believed to have exploited a chain of vulnerabilities known as ProxyLogon since March 2021. In this way, they compromised the security of the Microsoft Exchange servers of governments, international organizations, hospitals and other institutions.
The researchers concluded that FamousSparrow is the only group currently using the custom backdoor, so the threat has not disappeared. Additionally, they are believed to use custom variants of Mimikatz credential theft once the system is compromised.
FamousSparrow, governments, hotels and espionage
After a thorough analysis of FamousSparrow’s behavior, ESET experts suggest the attackers’ intent is to espionage. This is in light of its objectives, which include governments, engineering companies, legal officials, international organizations and health institutions.
But, in addition, among the main affected by FamousSparrow are the hotels. Interestingly, hackers would act as a tool for spy groups looking for track the movements and trips of your targets. The latter would be possible by compromising the security of the accommodation places.
Microsoft Exchange Server is a mail server used by millions of clients around the world. This solution enables hybrid deployments that enable mailboxes to be in the cloud or on the company’s local servers. And precisely unpatched systems are vulnerable.
Earlier this year, Microsoft released several security updates addressing ProxyLogon in the 2013, 2016, and 2019 versions of Exchange Server. Due to its critical nature, and in the face of the threat from FamousSparrow, Redmond recommends applying updates immediately.
ESET also calls for system administrators to update Exchange Server. But this advice is not only for members of the IT team, but for any user who wants to stay protected in cyberspace, because malicious actors do not rest.
ESET’s full report on FamousSparrow details how the backdoor works and provides extensive information on its modus operandi. This can be consulted on the company’s blog.
FamousSparrow isn’t the only malicious actor taking advantage of the ProxyLogon vulnerability. Experts have linked attacks to at least 10 groups. In principle, the hackers started their tasks the day after Microsoft disclosed the vulnerability and released the patches.