A new state-sponsored advanced persistent threat (APT), a term used to describe nation level sponsored and very sophisticated cyber-espionage groups, has been observed escalating attacks against hotels across the world. Code-named FamousSparrow, this new APT was discovered by Slovak security firm ESET, which said it is tracking hotel focused attacks as far back as 2019.
“FamousSparrow’s victims are located in Europe (France, Lithuania, the UK), the Middle East (Israel, Saudi Arabia), the Americas (Brazil, Canada, Guatemala), Asia (Taiwan), and Africa (Burkina Faso),” the company said in a recent report. Besides hotels, other cyber-attacks also hit governments, international organizations, engineering companies, and law firms. “The targeting suggests that FamousSparrow’s intent is cyberespionage,” ESET researchers said today.
FamousSparrow is entering via unpatched web applications. Most of the attacks followed the same pattern, with the group using vulnerabilities in web applications as entry points into its victims’ networks. ESET explains that past attacks exploited security flaws in:
- Microsoft Exchange
- Microsoft SharePoint
- Oracle Opera (business software for hotel management)
Of particular interest is also the fact that FamousSparrow was one of the first APTs to mount attacks using the ProxyLogon vulnerability in Microsoft Exchange email servers. ESET said the group weaponized ProxyLogon just one day after Microsoft disclosed the vulnerability’s existence, with the first attacks recorded on 3 March 2021.
Once FamousSparrow gets a foothold inside a target network, ESET researchers said the attackers deployed a custom backdoor named SparrowDoor, which they used as a pivot point to organise ways to move laterally inside a hacked network using public tools like Mimikatz and Metasploit.
While the FamousSparrow group used tools previously linked to espionage operations carried out by other groups such as DRDControl and SparklingGoblin, researchers also said they are not ready to attribute the group to any particular nation/state.
Hotels are often targeted for financial intelligence gathering. The group now joins the ranks of other APTs that have historically targeted hotels, such as the infamous DarkHotel, APT28, and the Rana Group, which did not target hotels directly but hotel room booking systems.
The purpose of attacking and compromising hotels is simple, as it allows cyber-espionage groups to track the movement of persons of interest.[1] For the same reason, APTs often also target telcoms and airline companies, seeking to gain insight, intercept targets, or track the movements of their targets.
When people travel, they often stay at hotels. Digital expansion has left no segment of the travel ecosystem untouched by cyber risks and vulnerabilities; with companies like Bangkok Air, Marriott Hotels, SITA and Ticketmaster falling victim to attacks or been fined for data breach. A representative and cyber expert from Mastercard says that the cyber risk exposure will increase as the travel industry evolves and every organization regardless of size is vulnerable to cyber threats.[2]
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
[1] https://therecord.media/a-new-apt-is-targeting-hotels-across-the-world
[2] https://www.ttgasia.com/2021/09/21/cyber-risk-poised-to-increase-amid-evolving-travel-landscape/
Comments