In the realm of the Defense Industrial Base (DIB) sector, a looming threat has surfaced as an Iranian actor strategically targets organizations. This orchestrated effort is part of a larger campaign orchestrated by the renowned Peach Sandstorm (formerly known as Holmium, APT33, Elfin, and Refined Kitten) under the vigilant eye of Microsoft.
The identified menace takes the form of a novel backdoor named FalseFont, as uncovered by Microsoft’s Threat Intelligence team through their monitoring efforts on X (formerly Twitter). FalseFont, a bespoke backdoor, boasts an extensive array of functionalities, enabling remote access to compromised systems, the execution of additional files, and the transmission of data to its command-and-control servers. Notably, the initial deployment of this insidious implant dates back to early November 2023.
Microsoft underscores that this recent revelation aligns seamlessly with prior activities attributed to Peach Sandstorm, illustrating a continuous evolution in the threat actor’s tactics and techniques. A September 2023 report by Microsoft had previously linked this group to password spray attacks conducted globally between February and July 2023, with a particular focus on organizations within the satellite, defense, and pharmaceutical sectors.
The ultimate objective of these intrusive activities, as asserted by Microsoft, is to facilitate intelligence collection in furtherance of Iranian state interests. The longevity of Peach Sandstorm’s operations extends back to at least 2013.
This disclosure coincides with accusations from the Israel National Cyber Directorate (INCD), which has implicated Iran and Hezbollah in an unsuccessful attempt to target Ziv Hospital. The hacking crews involved, named Agrius and Lebanese Cedar, were identified in this regard. Furthermore, the INCD has shed light on a phishing campaign where a counterfeit advisory, purporting to address a security flaw in F5 BIG-IP products, is employed as a diversion to deliver wiper malware on both Windows and Linux systems.
The bait for these targeted attacks revolves around a critical authentication bypass vulnerability (CVE-2023-46747, CVSS score: 9.8), disclosed in late October 2023. Presently, the extent of this expansive campaign remains undisclosed.