A new group of APT hackers spying on hotels and governments around the world

A New Advanced Persistent Threat (APT) is behind a series of attacks against hotels around the world, as well as against governments, international organizations, engineering companies and law firms.

Slovak cybersecurity firm ESET codenamed the cyber espionage group FamousSparrow, which it says has been active since at least August 2019, with victims located in Africa, Asia, Europe, the Middle East and the Americas, in several countries such as Burkina Faso and Taiwan. , France, Lithuania, United Kingdom, Israel, Saudi Arabia, Brazil, Canada and Guatemala.

The attacks mounted by the group involve the exploitation of known vulnerabilities in server applications such as SharePoint and Oracle Opera, in addition to the ProxyLogon remote code execution vulnerability in Microsoft Exchange Server that was revealed in March 2021, this which makes him the last threat actor to have had access to the exploit before the details of the flaw were made public.

According to ESET, the intrusion exploiting the flaws began on March 3, leading to the deployment of several malicious artifacts, including two bespoke versions of the credential thief Mimikatz, a NetBIOS scanner named Nbtscan, and a loader for a custom implant. baptized SparrowDoor.

Installed by taking advantage of a technique called DLL search order hijacking, SparrowDoor works as a utility to dig into new corners of the target’s internal network that hackers also have access to to execute arbitrary commands as well as to hoard and exfiltrate sensitive information to a remote command-and-control server (C2) under their control.

Prevent data breaches

Although ESET did not attribute the FamousSparrow group to a specific country, it found similarities between its techniques and those of SparklingGoblin, an offshoot of the China-related Winnti Group, and DRBControl, which also overlaps with malware previously. identified with Winnti and Emissary. Pandas campaigns.

“This is another reminder that it is essential to quickly fix applications that are accessible on the internet or, if a quick fix is ​​not possible, not to expose them to the internet at all,” ESET researchers said. , Tahseen Bin Taj and Matthieu Faou.

Source link

Previous Will my mask protect me if no one else is wearing it?
Next European stocks fall as investors hesitate

No Comment

Leave a reply

Your email address will not be published. Required fields are marked *