Microsoft Warns of FalseFont Backdoor Threat in Defense Sector

Microsoft has issued a warning about a novel backdoor, dubbed FalseFont, which is targeting organizations within the Defense Industrial Base (DIB) sector. This campaign is attributed to an Iranian threat actor known as Peach Sandstorm (formerly Holmium, APT33, Elfin, and Refined Kitten). FalseFont is a customized backdoor exhibiting a broad range of functionalities, enabling remote access to compromised systems, execution of additional files, and transmission of information to its command-and-control servers.             

The initial recorded use of FalseFont occurred in early November 2023, as reported by the Microsoft Threat Intelligence team on X (formerly Twitter). This development aligns with Peach Sandstorm's past activities, showcasing an ongoing evolution of the threat actor's tactics. Microsoft previously linked Peach Sandstorm to password spray attacks globally, focusing on satellite, defense, and pharmaceutical sectors between February and July 2023. The primary objective is deemed to be intelligence collection in support of Iranian state interests, with Peach Sandstorm's activities traced back to at least 2013.

In a 2017 assessment, Google-owned Mandiant noted APT33's specific interest in aviation organizations, both military and commercial, as well as energy sector entities with ties to petrochemical production.

This revelation coincides with the Israel National Cyber Directorate's accusation against Iran and Hezbollah, alleging an unsuccessful attempt to target Ziv Hospital through hacking crews named Agrius and Lebanese Cedar. The agency also disclosed a phishing campaign utilizing a fake advisory for a security flaw in F5 BIG-IP products as a decoy, delivering wiper malware on Windows and Linux systems. The lure for this targeted attack is a critical authentication bypass vulnerability (CVE-2023-46747, CVSS score: 9.8) discovered in late October 2023, and the extent of the campaign is presently unknown.