A new APT is targeting hotels across the world September 23, 2021 https://therecord.media/a-new-apt-is-targeting-hotels-across-the-world/ ESET: FamousSparrow: A suspicious hotel guest
Conclusion: Microsoft systems are the greatest instrument of empowering the worse disruptors the planet is ever experienced. No question whether intended or not.
Where and how does the very beginning of the infection chain start at? Is it an unpatched program vulnerability exploited through the network? How are the malicious processes dropped and executed in the target? EDIT okay, so I have just discovered some news on this. There is a ProxyLogon Exploit used against MS Exchange servers: https://threatpost.com/microsoft-exchange-cyberattacks-one-click-fix/164817/ There is a link that points to a detailed analysis but it's far too confusing for me to even attempt to understand it.
OK I now see what you mean, and I agree that these type of articles are sometimes a bit confusing. But from what I understood, you can compare the ProxyLogon Exploit with for example browser exploits, the goal is to get automatic code execution from remote. The only difference is that MS Exchange is being attacked instead of the browser. But the goal remains the same, to get malware up and running on PC's and servers. Of course AV and behavior monitoring should still be able to spot this malware, this is the whole cat and mouse game. That's why billions are being spend on so called EDR systems like MS Defender ATP, Carbon Black, CrowdStrike and the other well known names.
Exactly what I was looking for: how the malware makes it on to the target in the first place. The article does pretty much explain that it's an MS Exchange server vulnerability being exploited. Thanks! Actually I wonder if a perimeter firewall could be properly utilized to raise the bar considerably for attackers.
I haven't got a clue if a firewall can help to protect against this kind of stuff. I've read that MS Exchange, Pulse Secure VPN and Citrix had the most severe holes this year, and that's probably why you are seeing so many successful ransomware attacks on companies. The question is, what type of security measures were they using, because normally speaking EDR should be able to block this.
What intelligence agencies are doing is listening in on hotel guests and collecting personal data. So much easier than HUMINT operations in hotels and the payoff is instantaneous.
From the article; In a few cases, we were able to find the initial compromise vector used by FamousSparrow and these systems were compromised through vulnerable internet-facing web applications. We believe FamousSparrow exploited known remote code execution vulnerabilities in Microsoft Exchange (including ProxyLogon in March 2021), Microsoft SharePoint and Oracle Opera (business software for hotel management), which were used to drop various malicious samples.
