Home Hotel management Hacking group used ProxyLogon exploits to break into hotels around the world

Hacking group used ProxyLogon exploits to break into hotels around the world


Picture: Marten Björk

A recently discovered cyber espionage group has been targeting hotels around the world since at least 2019, as well as high profile targets such as governments, international organizations, law firms and engineering companies.

Slovakian internet security company ESET spotted the hacking group (dubbed Famous Sparrow) and described it as an “advanced persistent threat”.

Cyber ​​spies targeted victims from across Europe (France, Lithuania, United Kingdom), the Middle East (Israel, Saudi Arabia), the Americas (Brazil, Canada, Guatemala), Asia (Taiwan) and Africa (Burkina Faso) in attacks spanning the last two years.

“The targeting, which includes governments around the world, suggests that FamousSparrow’s intention is espionage,” ESET researchers Matthieu Faou and Tahseen Bin Taj said.

Geographic distribution of FamousSparrow targets
Image: ESET

ProxyLogon exploits used one day after patch

The group has used several attack vectors in web applications exposed to the Internet to violate its targets’ networks, including remote code execution vulnerabilities in Microsoft SharePoint, Oracle Opera hotel management software, and Microsoft Exchange security vulnerabilities known as ProxyLogon.

After breaching their victims’ networks, the group deployed custom tools such as a Mimikatz variant, a small tool designed to harvest memory content (like credentials) by killing the Windows LSASS process, and a backdoor known as SparrowDoor only used by FamousSparrow.

“FamousSparrow is currently the only user of a custom backdoor that we discovered during the investigation called SparrowDoor. The group also uses two custom versions of Mimikatz,” Bin Taj explained.

“The presence of any of these custom malicious tools could be used to connect incidents to FamousSparrow.”

The spy group also began targeting unpatched Microsoft Exchange servers for ProxyLogon vulnerabilities in March 2021, a day after Microsoft fixed the bugs.

ESET also shared information about at least ten hacking groups that actively abuse these bugs after joining the Microsoft Exchange attack frenzy in March.

According to reports from other security companies, exploitation in the wild began on January 3, long before the bugs were even reported to Microsoft, which released fixes on March 2.

After analyzing around 250,000 Exchange servers exposed to the Internet around the world in March, the Dutch Institute for Vulnerability Disclosure (DIVD) found 46,000 unpatched servers against ProxyLogon vulnerabilities.

Timeline of ProxyLogon attacks
Timeline of ProxyLogon (ESET) attacks

Links to other APT groups

ESET also found links to other known APT groups, including malware variants and connected configurations. SparklingGoblin and DRBControl.

However, as the researchers said, FamousSparrow is seen as a separate entity that likely leveraged its access to compromised hotel systems for espionage purposes, including tracking specific high-level targets.

“FamousSparrow is another APT group that gained access to the ProxyLogon remote code execution vulnerability in early March 2021. It is used to exploiting known vulnerabilities in server applications such as SharePoint and Oracle Opera.” ESET researchers have concluded.

“This is another reminder that it is essential to fix internet applications quickly or, if a quick fix is ​​not possible, not to expose them to the internet at all.”


Please enter your comment!
Please enter your name here