Cybersecurity News in Asia

Features
- Featured
  
  How to talk to your board and C-suite about cyber-preparedness
  
  Thursday, June 1, 2023, 11:33 AM Asia/Singapore | Features, Newsletter, Tips
- Featured
  
  Ransomware trends APAC organizations should be mindful of
  
  Tuesday, May 30, 2023, 2:02 PM Asia/Singapore | Features, Malware & Ransomware
- Featured
  
  Generative AI – the cybercriminal’s latest tool of terror?
  
  Tuesday, May 23, 2023, 11:20 AM Asia/Singapore | Features
News
- Featured
  
  Automation and AI increase bot attack sophistication, evasiveness
  
  Thursday, June 1, 2023, 2:45 PM Asia/Singapore | Cyberthreat Landscape, News, Newsletter
- Featured
  
  Research sheds light on Cryptor-as-a-Service in the Dark Web
  
  Tuesday, May 30, 2023, 10:33 AM Asia/Singapore | News, Newsletter
- Featured
  
  Take a peek at ransomware victims’ failure points
  
  Tuesday, May 30, 2023, 10:13 AM Asia/Singapore | Malware & Ransomware, News, Newsletter
Opinions
Tips
Whitepapers
Awards 2022
Directory
E-Learning

News

Sparrows of a feather exploit together

By CybersecAsia editors | Wednesday, October 6, 2021, 11:29 AM Asia/Singapore

Names like FamousSparrow and SparrowDoor make advanced persistent threat groups sound furry and cute, but victims often cry fowl (foul).

A new cyber espionage group attacking mainly hotels worldwide but not excluding governments, international organizations, engineering companies and law firms, has been discovered.

Telemetry from the ESET user base shows that the group has been active since at least 2019, with victims located in Europe (France, Lithuania, the UK), the Middle East (Israel, Saudi Arabia), the Americas (Brazil, Canada, Guatemala), Asia (Taiwan) and Africa (Burkina Faso).

The researchers have since named this advanced persistent threat group FamousSparrow. It was among the more than 10 APT groups that exploited the Microsoft Exchange vulnerabilities known as ProxyLogon. According to ESET telemetry, FamousSparrow started to exploit the vulnerabilities on March 3, 2021, the day following the release of the patches—meaning it is yet another APT group that had access to the details of the ProxyLogon vulnerability chain in March 2021.

*Geographic distribution of FamousSparrow targets*

Although the researchers consider FamousSparrow to be a separate entity, the group does share some connections to other known APT groups. In one case, the attackers deployed a variant of Motnug, a loader used by APT group SparklingGoblin. In another case, a machine compromised by FamousSparrow was also running Metasploit with cdn.kkxx888666[.]com as its command-and-control server, a domain related to a group known as DRDControl.

Uniquely, FamousSparrow is currently the only user of a custom backdoor that ESET discovered and named SparrowDoor. The group also uses two custom versions of Mimikatz. Explained one of the firm’s researchers, Tahseen Bin Taj: “The presence of any of these custom malicious tools could be used to connect incidents to FamousSparrow.”

This discovery is another reminder that timely vulnerability patching is critical; or, if quick patching is not possible, networks exposed to the internet should be taken offline, advised Matthieu Faou, another ESET researcher.