Microsoft’s Warning ‘FalseFont’ Backdoor Threat Revealed

In a concerning development, Microsoft has issued a warning targeted at organizations within the Defense Industrial Base (DIB) sector. A new campaign orchestrated by an Iranian threat actor has unveiled a never-before-seen backdoor dubbed ‘FalseFont,’ posing a significant risk to targeted entities.

The activity, monitored under Microsoft’s weather-themed designation Peach Sandstorm (formerly known as Holmium, APT33, Elfin, and Refined Kitten), showcases the deployment of FalseFont. This custom-built backdoor offers a wide array of functionalities enabling remote access to compromised systems, execution of additional files, and transmission of data to command-and-control servers.

The first instance of FalseFont’s deployment was recorded in early November 2023, marking a critical milestone in the evolution of Peach Sandstorm’s tactics.

This latest revelation aligns with earlier actions attributed to Peach Sandstorm, detailed in a September 2023 report by Microsoft. The threat actor’s modus operandi involved password spray attacks directed at numerous global organizations between February and July 2023, primarily focusing on satellite, defense, and pharmaceutical sectors.

Microsoft’s assessment suggests that Peach Sandstorm’s overarching objective is to gather intelligence in support of Iranian state interests. The group’s activities trace back to at least 2013.

A previous assessment, in 2017 highlighted APT33’s keen interest in aviation organizations, encompassing military and commercial entities, along with a focus on energy sector organizations linked to petrochemical production.

The bait for this targeted attack revolves around a critical authentication bypass vulnerability (CVE-2023-46747, CVSS score: 9.8) revealed in late October 2023, although the full extent of this campaign remains undisclosed.

To prevent this, defense entities should bolster their security protocols by implementing robust endpoint protection, conducting regular security audits, and deploying intrusion detection systems. Enhanced user authentication, network segmentation, and constant vigilance for suspicious activities can mitigate risks posed by backdoors like FalseFont.