Cyberwarfare / Nation-State Attacks
                                                    ,
                                                            Fraud Management & Cybercrime
                                                    
                    FalseFont Backdoor Enables Attackers to Remotely Connect to a Compromised System
                

Microsoft said Iranian state hackers are using a newly developed backdoor to target organizations in the American defense industrial base.
See Also: Fog of War | How the Ukraine Conflict Transformed the Cyber Threat Landscape
The Iranian state threat actor that Microsoft tracks as Peach Sandstorm employed a custom backdoor named FalseFont, which features several capabilities that empower backdoor operators to remotely connect to a compromised system, initiate the execution of supplementary files, and transmit data to attacker-controlled servers.
Researchers first spotted the custom backdoor in early November 2023, Microsoft said Wednesday. The defense industrial base encompasses a broad range of industries that contribute to national military capabilities, including aerospace, technology and manufacturing.
Between February and July, the nation-state hacker carried out a wave of password-spraying attacks against thousands of targets, the computing giant reported.
Microsoft earlier tracked the group as Holmium, and it is also known as APT33 and Refined Kitten.
Password spraying is not a sophisticated technique. It’s a variant of brute force attacks in which attackers attempt to guess a single account’s password. The spraying involves entering the same password guess into several accounts to avoid account lockout and betting that at least one user has a previously used password or one that is easy to guess.
“The development and use of FalseFont is consistent with Peach Sandstorm activity observed by Microsoft over the past year, suggesting that Peach Sandstorm is continuing to improve their tradecraft,” Microsoft said.
The increasing sophistication of Iranian hackers is a warning Microsoft has sounded before, writing in September that Tehran threat actors are turning zero-day disclosures into exploits within a matter of days, or even hours. Peach Sandstorm conforms with Iranian state hackers’ reputation for leaning heavily on phishing, credential stuffing and other social engineering techniques as initial attack vectors, but some of its activity after gaining initial access has been “stealthy and sophisticated,” Microsoft said (see: Iranian Hackers Gain Sophistication, Microsoft Warns).
