Microsoft has disclosed that the Iranian APT33 cyber-espionage group, also known as Peach Sandstorm, HOLMIUM, or Refined Kitten, is actively deploying a newly discovered backdoor malware named FalseFont. The attacks are specifically targeting individuals associated with organizations in the Defense Industrial Base (DIB) sector globally. The DIB sector encompasses over 100,000 defense companies and subcontractors involved in the research and development of military weapons systems, subsystems, and components.
FalseFont, the custom backdoor employed by APT33, provides the attackers with remote access to compromised systems, allowing for file execution and transfer to command-and-control servers. Microsoft notes that the development and utilization of FalseFont are consistent with Peach Sandstorm’s activities observed over the past year, indicating a continuous effort to enhance their tradecraft. The malware was first observed in the wild around early November 2023.
In addition to the use of FalseFont, Microsoft issued a warning urging network defenders to take specific measures. This includes resetting credentials for accounts targeted in password spray attacks to reduce the attack surface. Furthermore, defenders are advised to revoke session cookies and enhance the security of accounts and remote desktop protocol (RDP) or Windows Virtual Desktop endpoints by implementing multi-factor authentication (MFA). This revelation follows a previous warning from Microsoft in September, where the company disclosed a coordinated campaign by APT33 that targeted thousands of organizations worldwide, including those in the defense sector.
APT33 has consistently demonstrated interest in various sectors, including defense, satellite, and pharmaceutical industries, and the attacks resulted in data theft from a limited number of victims in these sectors. The disclosure underscores the ongoing and evolving cyber threats faced by defense contractors and organizations globally.
Reference
