December 21, 2023 at 03:30PM
Microsoft warns of APT33 Iranian cyber-espionage group using FalseFont backdoor malware to target over 100,000 defense companies globally. Known as Peach Sandstorm, the group has been active since 2013, targeting industries across the US, Saudi Arabia, and South Korea. Network defenders are advised to reset credentials and use multi-factor authentication to reduce vulnerability.
Based on the meeting notes, the key takeaways are:
1. APT33, an Iranian cyber-espionage group, has been utilizing the FalseFont backdoor malware to target defense contractors globally.
2. Microsoft has observed the Iranian nation-state actor, Peach Sandstorm, attempting to deliver the FalseFont backdoor to individuals working for organizations in the Defense Industrial Base (DIB) sector, which comprises over 100,000 defense companies and subcontractors.
3. APT33, also known as Peach Sandstorm, HOLMIUM, or Refined Kitten, has been active since at least 2013 and has targeted a wide range of industry sectors in the United States, Saudi Arabia, and South Korea, including government, defense, research, finance, and engineering verticals.
4. The FalseFont backdoor provides remote access to compromised systems, file execution, and file transfer to its command-and-control (C2) servers. It was first observed in the wild around early November 2023.
5. Microsoft advises network defenders to reset credentials for accounts targeted in password spray attacks and to revoke session cookies. They also recommend securing accounts and RDP or Windows Virtual Desktop endpoints using multi-factor authentication (MFA) to reduce the attack surface targeted by APT33 hackers.
6. In addition to the recent campaign involving FalseFont, APT33 had previously conducted extensive password spray attacks since February 2023 targeting thousands of organizations worldwide, particularly in the defense, satellite, and pharmaceutical sectors.
7. There have been incidents of data theft from a limited number of victims in the defense, satellite, and pharmaceutical sectors as a result of APT33 attacks.
8. In the past, an Iran-linked hacking group known as DEV-0343 targeted U.S. and Israeli defense tech companies, according to a Microsoft report from October 2012.
9. Finally, the notes mention that defense agencies and contractors globally have also faced cyber threats from Russian, North Korean, and Chinese state hackers in recent years.