Peach Sandstorm, an Iranian Hackers group, targets diverse sectors globally, and this group is linked to:-
- APT33
- Elfin
- Refined Kitten
This nation-state group focuses primarily on the following sectors:-
- Aviation
- Construction
- Defense
- Education
- Energy
- Finance
- Healthcare
- Government
- Satellite
- Telecommunications
In 2023, the group shows persistent interest in satellite, defense, and pharmaceutical sectors. Using password spray campaigns, Peach Sandstorm exhibits opportunistic behavior, with a history of relying on this tactic.
However, besides this, stealthier 2023 activities contrast with past noisy operations, showcasing advanced cloud-based techniques.
Cybersecurity researchers at Microsoft Threat Intelligence team recently discovered a new backdoor dubbed “FalseFont,” that enables threat actors to hack Microsoft’s Windows operating system, and it’s been reported that the Iranian Hacker group Peach Sandstorm has developed this new backdoor.
Technical analysis
This custom backdoor, FalseFont, provides the following capabilities to its operators:-
- Remote access
- File launching
- Data transmission to C2 servers
This custom backdoor, FalseFont, was detected in early November 2023 during operations against its targets.
FalseFont’s development aligns with Microsoft’s year-long observation of Peach Sandstorm, indicating ongoing enhancement of their newly developed custom backdoor.
Moreover, the security solution of Microsoft that comes pre-embedded with its Windows operating system, Microsoft Defender Antivirus, detected the “FalseFont” backdoor as:-
Here below, we have mentioned the IOCs that will help the organizations detect this sophisticated backdoor in their environment:-
- C2: Digitalcodecrafters[.]com
- SHA-256: 364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614
Cybersecurity researchers at the Microsoft Threat Intelligence team are actively continuing their ongoing investigations in an attempt to hunt down all the associated activity of Peach Sandstorm through Microsoft Defender XDR.
Mitigations
Here below we have mentioned all the mitigations provided by the cybersecurity researchers at the Microsoft Threat Intelligence team:-
- Reset passwords for accounts targeted in a password spray attack, especially those with system-level permissions.
- Revoke any changes to multifactor authentication (MFA) settings made by attackers on compromised accounts.
- Implement Azure Security Benchmark and general best practices for identity infrastructure security.
- Create conditional access policies based on defined criteria to control environment access.
- Block legacy authentication with Microsoft Entra ID using Conditional Access to prevent password spray attacks.
- Enable AD FS web application proxy extranet lockout to protect against password brute force compromise.
- Practice the least privilege and audit privileged account activity in Microsoft Entra ID environments.
- Deploy Microsoft Entra ID Connect Health for AD FS to capture failed attempts and IP addresses in logs.
- Use Microsoft Entra ID password protection to detect and block weak passwords and variants.
- Turn on identity protection in Microsoft Entra ID to monitor and create policies for risky sign-ins.
- Employ MFA for privileged accounts and risk-based MFA for normal accounts to mitigate password spray attacks.
- Consider transitioning to passwordless authentication methods like Azure MFA, certificates, or Windows Hello for Business.
- Secure RDP or Windows Virtual Desktop endpoints with MFA to harden against attacks.
- Treat AD FS servers as Tier 0 assets, protecting them with measures similar to domain controllers.
- Practice credential hygiene, including logon restrictions and controls like Windows Firewall on easily compromised systems.
- Consider migrating to Microsoft Entra ID authentication to reduce the risk of on-premises compromises.