Microsoft has alerted the Defense Industrial Base (DIB) sector about a new threat from a backdoor named 'FalseFont'. This backdoor, which is believed to be the creation of an Iranian threat actor, is part of a campaign aimed at infiltrating these organizations.
The backdoor, dubbed FalseFont, has a wide range of capabilities. It allows operators to remotely access a compromised system, launch additional files, and transmit data to its command-and-control servers. Microsoft's Threat Intelligence team highlighted the danger of this backdoor on X (formerly Twitter), saying, "FalseFont is a custom backdoor with a wide range of functionalities that allow operators to remotely access an infected system, launch additional files, and send information to its [command-and-control] servers."
Traditional security measures are proving insufficient to counter this threat, underscoring the need for advanced measures like Zero Trust Security. The first known use of FalseFont was in early November 2023. Microsoft has noted that this latest activity is consistent with previous actions by the threat actor, known as Peach Sandstorm. This actor has been active since at least 2013 and has demonstrated a continual evolution in their tradecraft.
In a report released in September 2023, Microsoft linked Peach Sandstorm to password spray attacks against thousands of organizations worldwide between February and July 2023. These attacks primarily targeted the satellite, defense, and pharmaceutical sectors. According to Microsoft, the ultimate aim of these intrusions is to gather intelligence in support of Iranian state interests.
The announcement from Microsoft coincides with accusations from the Israel National Cyber Directorate (INCD) against Iran and Hezbollah. The INCD alleges that these entities attempted, unsuccessfully, to target Ziv Hospital through hacking groups named Agrius and Lebanese Cedar. The INCD also unveiled details of a phishing campaign that uses a fake advisory for a security flaw in F5 BIG-IP products as a decoy to deliver wiper malware on Windows and Linux systems. The bait for the targeted attack is a critical authentication bypass vulnerability (CVE-2023-46747, CVSS score: 9.8) that was revealed in late October 2023. The extent of this campaign is currently unclear.