[TheRecord] A new APT is targeting hotels across the world

A new advanced persistent threat (APT), a term used to describe state-sponsored cyber-espionage groups, has been spotted mounting attacks against hotels across the world.

Codenamed FamousSparrow, this new APT was discovered by Slovak security firm ESET, which said it’s been tracking its attacks as far back as 2019.

“FamousSparrow’s victims are located in Europe (France, Lithuania, the UK), the Middle East (Israel, Saudi Arabia), the Americas (Brazil, Canada, Guatemala), Asia (Taiwan), and Africa (Burkina Faso),” the company said in a report shared with The Record.

Besides hotels, other attacks also hit governments, international organizations, engineering companies, and law firms.

“The targeting suggests that FamousSparrow’s intent is cyberespionage,” ESET researchers said today.

Entering via unpatched web applications

Most of the attacks followed the same pattern, with the group using vulnerabilities in web applications as entry points into its victims’ networks. According to ESET, past attacks exploited security flaws in:

Microsoft ExchangeMicrosoft SharePointOracle Opera (business software for hotel management)

Particularly interesting was also the fact that FamouseSparrow was one of the first APTs to mount attacks using the ProxyLogon vulnerability in Microsoft Exchange email servers.

ESET said the group weaponized ProxyLogon just one day after Microsoft disclosed the vulnerability’s existence, with the first attacks recorded on March 3, 2021/

Once FamousSparrow had a foothold inside a target network, ESET researchers said the attackers deployed a custom backdoor named SparrowDoor, which they used as a pivot point to orchestrate ways to move laterally inside a hacked organization using public tools like Mimikatz and Metasploit.

But while ESET noted that the FamousSparrow group used tools previously linked to espionage operations carried out by other groups such as DRDControl [PDF] and SparklingGoblin, researchers also said they aren’t ready just yet to attribute the group to any particular state.

Hotels are often targeted for intelligence gathering

The group now joins the ranks of other APTs that have historically targeted hotels, such as the infamous DarkHotelAPT28, and the Rana Group, which didn’t target hotels directly but hotel room booking systems.

The purpose of attacking and compromising hotels is simple, as it allows cyber-espionage groups to track the movement of persons of interest.

For the same reason, APTs often also target telcos and airline companies, seeking to gain insight, intercept targets, or track the movements of their targets.

The post A new APT is targeting hotels across the world appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[TheRecord] Apple fixes AWDL bug that could be used to escape air-gapped networks

Apple has fixed a vulnerability in its Apple Wireless Direct Link (AWDL) technology that could have been abused by threat actors to escape and steal data from air-gapped networks. Silently patched earlier this spring, in April — with the release of iOS 14.5, iPadOS 14.5, watchOS 7.4, and Big Sur 11.3 — the vulnerability was publicly disclosed […]

Read More

Daily NCSC-FI news followup 2019-07-15

Lahdessa toivotaan kyberhyökkääjän jäävän kiinni”Tällainen toiminta ei ole mitään askartelua ja puuhastelua, vaan raakaa ammattimaista rikollisuutta” www.ess.fi/uutiset/paijathame/art2554035 Tietoturva-asiantuntijat antavat Lahdelle kiitosta ripeästä toiminnasta kesäkuisen kyberhyökkäyksen alettua. “Toiminta oli erittäin asiantuntevaa”, sanoo Kyberturvallisuuskeskuksen Kauto Huopio. Turla renews its arsenal with Topinambour securelist.com/turla-renews-its-arsenal-with-topinambour/91687/ 2019 has seen the Turla actor actively renew its arsenal. Its developers are still […]

Read More

[TheRecord] Decryptor released for Prometheus ransomware victims

Taiwanese security firm CyCraft has released a free application that can help victims of the Prometheus ransomware recover and decrypt some of their files. Available on GitHub, the decryptor effectively works by brute-forcing the encryption key used to lock the victim’s data. “[The] Prometheus ransomware use Salsa20 with a tickcount-based random password to encrypt [files]. The size of […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.