A cyber-espionage group that’s targeted hotels and international governments since at least 2019 at times used a known Microsoft vulnerability to breach their victims, according to research published Thursday by ESET, a Slovakian security vendor.
ESET dubbed the group FamousSparrow in a blog post published Wednesday, and labeled it an “advanced persistent threat,” often used to describe nation-state groups or those of equivalent sophistication. More than 10 other APT groups have used a remote code execution vulnerability in Microsoft Exchange servers, by ESET’s count, a flaw that was also the focus of suspected Chinese hackers and scammers who sought to mine cryptocurrency, among others.
ESET did not identify the hotel organizations or the governments in question.
The FamousSparrow group started to exploit the Microsoft vulnerabilities on March 3, 2021, after a software fix became available, according to the blog post. The group went after targets in Brazil, Burkina Faso, Canada, France, Guatemala, Israel, Lithuania, Saudi Arabia, South Africa, Taiwan, Thailand and the United Kingdom.
The Microsoft Exchange attack path, which involves technology known as Proxy Logon, has had a long shelf life for hackers after the initial splurge. Microsoft published numerous software updates this year, urging organizations to patch the flaws before hackers could seize on the issue.
Recently-revealed victims from the early attacks include the Republican Governors Association. But according to researcher Orange Tsai, ProxyLogon isn’t a single bug but a “whole new attack surface,” and related vulnerabilities emerged in August.
As for FamousSparrow’s targets, it’s far from the first time cyber-espionage groups have gone after the hospitality industry, although FamousSparrow also has pursued governments, international organizations, engineering companies and law firms.
“Hotels are interesting for cyber-espionage groups because it allows them to track the travels of their targets and, by infiltrating the network of the hotels, they could potentially spy on the network traffic of people staying at these hotels,” Matthieu Faou, malware researcher at ESET, said in an email.
ESET didn’t attribute the FamousSparrow group to a specific country. But it found similarities between its techniques and those of SparklingGoblin, an offshoot of the China-linked Winnti Group, and DRBControl, which also has possible Winnti Group ties.
In July, the U.S. government blamed China for exploiting the Microsoft Exchange Server attacks that opened the door to ransomware attacks on tens of thousands of victims globally.