Cyber Threat Report: 'FamousSparrow: A suspicious hotel guest'
| Report Author | ESET |
|---|---|
| Publication Date | 2021-09-23 |
| Original Reporting | Source |
| Related Intrusion Sets | SparklingGoblin , FamousSparrow |
| Victim Sectors | Leisure and Hospitality, National Government |
This blog post by researchers from ESET describes the FamousSparrow APT group and associated custom backdoor 'SparrowDoor'. According to the post, FamousSparrow were observed exploiting the 'ProxyLogon' vulnerability in MicrosoftExchange to gain access to targets and deploy the SparrowDoor backdoor. Targets of the group included governments, hotels and other private companies worldwide. The post includes technical analysis of the SparrowDoor malware and outlines additional tools used by the group including a Mimikatz variant, ProcDump, Nbtscan.
Cyber Threat Graph Context
Explore how this report relates to the wider threat graph
Mitigations to defend against the techniques in this report
Privileged Process Integrity
Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.Password Policies
Set and enforce secure password policies for accounts.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.Operating System Configuration
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.Active Directory Configuration
Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.Encrypt Sensitive Information
Protect sensitive information with strong encryption.Credential Access Protection
Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.Pre-compromise
This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.Antivirus/Antimalware
Use signatures or heuristics to detect malicious software.Network Intrusion Prevention
Use intrusion detection signatures to block traffic at network boundaries.Application Isolation and Sandboxing
Restrict execution of code to a virtual environment on or in transit to an endpoint system.Exploit Protection
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.Vulnerability Scanning
Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.Update Software
Perform regular software updates to mitigate exploitation risk.Network Segmentation
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services...User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.Code Signing
Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.Execution Prevention
Block execution of code on a system through application control, and/or script blocking.Data Loss Prevention
Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)Restrict Library Loading
Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.Identified MITRE ATT&CK Techniques
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1003 | OS Credential Dumping | Credential Access |
| T1588.005 | Exploits | Resource Development |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1547.001 | Registry Run Keys / Startup Folder | Persistence, Privilege Escalation |
| T1071.001 | Web Protocols | Command and Control |
| T1082 | System Information Discovery | Discovery |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1203 | Exploitation for Client Execution | Execution |
| T1134 | Access Token Manipulation | Defense Evasion, Privilege Escalation |
| T1134.002 | Create Process with Token | Defense Evasion, Privilege Escalation |
| T1059.003 | Windows Command Shell | Execution |
| T1583.001 | Domains | Resource Development |
| T1055.001 | Dynamic-link Library Injection | Defense Evasion, Privilege Escalation |
| T1083 | File and Directory Discovery | Discovery |
| T1583.004 | Server | Resource Development |
| T1005 | Data from Local System | Collection |
| T1573.001 | Symmetric Cryptography | Command and Control |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |