APT group uses Exchange vulnerability to spy on hotels, businesses and governments

Cybersecurity company ESET has released new research into FamousSparrow, a cyberespionage group attacking hotels worldwide, as well as governments, international organizations, engineering companies and law firms.

The Advanced Persistent Threat (APT) group FamousSparrow has been exploiting the Microsoft Exchange vulnerability known as ProxyLogon, which allows hackers to take control of Exchange servers.

Attacks started as early as the day after patches for the ProxyLogon vulnerability were released in March 2021.

"This is another reminder that it is critical to patch internet-facing applications quickly, or, if quick patching is not possible, to not expose them to the internet at all," says Matthieu Faou, ESET researcher who uncovered FamousSparrow along with his colleague Tahseen Bin Taj.

Victims of the are located around the world, in Europe (France, Lithuania, the UK), the Middle East (Israel, Saudi Arabia), the Americas (Brazil, Canada, Guatemala), Asia (Taiwan) and Africa (Burkina Faso). Researchers believe the targeting suggests that FamousSparrow's intent is cyberespionage.

Although a separate entity it's believed that FamousSparrow also has links to other known APT groups. It's believed to have been active since 2019.

"FamousSparrow is currently the only user of a custom backdoor that we discovered in the investigation and called SparrowDoor," explains ESET researcher Tahseen Bin Taj. "The group also uses two custom versions of Mimikatz. The presence of any of these custom malicious tools could be used to connect incidents to FamousSparrow."

You can read more about the attack and how it works on the ESET blog.

Image credit: Amir Kaljikovic/Shutterstock