December 22, 2023 at 07:45AM
Microsoft has raised an alert on Iranian state-sponsored attacks targeting US defense industrial base (DIB) organizations. The attacks, attributed to Peach Sandstorm, a group also known as APT33, are believed to have been active since at least 2013. A newly developed backdoor named FalseFont has been observed, allowing remote access to infected systems. Organizations are advised on security measures.
From the meeting notes:
1. Microsoft has raised the alarm on new Iranian state-sponsored attacks targeting employees at US defense industrial base (DIB) organizations.
2. The attacks are attributed to Peach Sandstorm, also known as APT33, Elfin, Holmium, Magnallium, and Refined Kitten.
3. APT33 has been active since at least 2013 and is believed to be backed by the Iranian government.
4. The attacks have targeted organizations across various sectors in the US, Europe, Asia, and the Middle East.
5. A newly developed backdoor named FalseFont has been used in these attacks, providing remote access, file execution, and data exfiltration to the command-and-control server.
6. FalseFont was first used in attacks in November 2023.
7. Microsoft has observed ongoing improvement in the tradecraft of Peach Sandstorm.
8. In September, Microsoft warned of an APT33 campaign targeting organizations with password spray attacks, leading to data exfiltration in some cases.
9. Recommendations for organizations include password resets, revoking session cookies, implementing best practices for securing identity infrastructure, practicing good credential hygiene, employing multi-factor authentication, transitioning to passwordless authentication, and securing remote desktop connections.
Additionally, related articles provide more context on Iranian cyber activities and US responses.
If you need further information or assistance, feel free to ask.