A new cyberespionage group is leveraging the Microsoft Exchange ProxyLogon vulnerabilities in attacks targeting hotels, governments, and private companies all over the world.
Dubbed FamousSparrow by ESET security researchers, the group is yet another threat actor using the ProxyLogon vulnerabilities to take over Exchange mail servers of target organizations..
ProxyLogon is the name for a set of four remote execution zero-day bugs tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 impacting Microsoft’s Exchange Server enterprise email product, which Microsoft patched in March this year. According to ESET, this remote code execution vulnerability was used by more than 10 APT groups to take over Exchange mail servers worldwide since the start of the year.
ESET says that ProxyLogon was first exploited by the group on March 3, before Microsoft released emergency patches to the public. In addition to ProxyLogon, the threat actor has also been observed utilizing known vulnerabilities in Microsoft SharePoint and Oracle Opera, an enterprise property management system for hotel operations.
Once gaining foothold inside a target network, the attackers deploy a custom backdoor named SparrowDoor to move laterally inside a hacked organization using custom tools like a custom version of Mimikatz, a small utility that drops the ProcDump command-line utility on disk to collect credentials, and Nbtscan (a NetBIOS scanner).
While FamousSparrow appears to be a separate group, ESET researchers said they found links to other threat actors, such as SparklingGoblin (believed to be a member of the Winnti family) and DRBControl.
Believed to have been active since at least August 2019, FamousSparrow has been linked to attacks against governments, international organizations, engineering firms, legal companies, and the hospitality sector.
Victims are located in Europe, the United Kingdom, Israel, Saudi Arabia, Taiwan, Burkina Faso in West Africa, Brazil, Canada, and Guatemala.
“FamousSparrow is yet another APT group that had access to the ProxyLogon remote code execution vulnerability early in March 2021. It has a history of leveraging known vulnerabilities in server applications such as SharePoint and Oracle Opera. This is another reminder that it is critical to patch internet-facing applications quickly, or, if quick patching is not possible, to not expose them to the internet at all,” ESET said.
More technical details and Indicators of Compromise (IoCs) related to this threat actor are available in the ESET’s report.