An Iranian cyber-espionage group has been targeting thousands of defense companies using recently discovered backdoor malware, according to a report by the Microsoft Threat Intelligence team.
Peach Sandstorm, a nation-state threat actor known for pursuing organizations in the space and pharmaceutical sectors, has reportedly been attempting to deliver a new malware named FalseFont to individuals working in the Defense Industrial Base sector.
The sector comprises over 100,000 defense companies and subcontractors involved in producing military systems.
When accessed, FalseFont allows operators to remotely access an infected system, launch additional files, and send sensitive information to its command-and-control servers.
“The development and use of FalseFont is consistent with Peach Sandstorm’s activity observed by Microsoft over the past year, suggesting that Peach Sandstorm is continuing to improve their tradecraft,” Microsoft stated.
Mitigation
Microsoft has laid out some procedures to mitigate potential FalseFont attacks, including resetting account passwords for those that have been targeted by a password spray attack.
Additionally, network defenders are advised to revoke session cookies and other multi factor authentication setting changes made by the attacker on compromised accounts.
To harden accounts against password spray or brute force attacks, users are also encouraged to consider transitioning to a passwordless primary authentication method.
“The recommendations provided above [are] critical for protecting and preventing the exposure of highly privileged administrator accounts. This especially applies on more easily compromised systems like workstations…” Microsoft noted.
Previous Attacks
Also tracked as HOLMIUM or Refined Kitten, Peach Sandstorm has targeted various sectors across the US, Saudi Arabia, and South Korea.
It has been carrying out cyber-espionage activities since at least 2013.
In September, Microsoft announced that the Iranian group carried out a wave of password spray attacks.
Password spraying is an attempt to use a common password to access multiple accounts and avoid account lockouts that normally occur when trying many passwords on a single account.
The company said the successful attacks resulted in data theft from a limited number of victims in the defense, satellite, and pharmaceutical sectors.
