Iranian Hackers Developed a New Backdoor to Hack Windows<\/b><\/p>\n
Peach Sandstorm, an Iranian Hackers group, targets diverse sectors globally, and this group is linked to:-<\/span><\/p>\n APT33<\/span><\/p>\n Elfin<\/span><\/p>\n Refined Kitten<\/span><\/p>\n This nation-state group focuses primarily on the following sectors:-<\/span><\/p>\n Aviation<\/span><\/p>\n Construction<\/span><\/p>\n Defense<\/span><\/p>\n Education<\/span><\/p>\n Energy<\/span><\/p>\n Finance<\/span><\/p>\n Healthcare<\/span><\/p>\n Government<\/span><\/p>\n Satellite<\/span><\/p>\n Telecommunications<\/span><\/p>\n In 2023, the group showed persistent interest in the satellite, defense, and pharmaceutical sectors. Using password spray campaigns, Peach Sandstorm exhibits opportunistic behavior, with a history of relying on this tactic.\u00a0<\/span><\/p>\n However, besides this, stealthier 2023 activities contrast with past noisy operations, showcasing advanced cloud-based techniques.<\/span><\/p>\n Cybersecurity researchers at Microsoft Threat Intelligence team recently discovered a new backdoor dubbed \u201cFalseFont,\u201d that enables threat actors to hack Microsoft\u2019s Windows operating system, and it\u2019s been reported that the Iranian Hacker group Peach Sandstorm has developed this new backdoor.<\/span><\/p>\n Technical analysis<\/b><\/p>\n This custom backdoor, FalseFont, provides the following capabilities to its operators:-<\/span><\/p>\n Remote access<\/span><\/p>\n File launching<\/span><\/p>\n Data transmission to C2 servers<\/span><\/p>\n This custom backdoor, FalseFont, was detected in early November 2023 during operations against its targets.<\/span><\/p>\n FalseFont\u2019s development aligns with Microsoft\u2019s year-long observation of Peach Sandstorm, indicating ongoing enhancement of their newly developed custom backdoor.<\/span><\/p>\n Moreover, the security solution of Microsoft that comes pre-embedded with its Windows operating system, Microsoft Defender Antivirus, detected the \u201cFalseFont\u201d backdoor as:-<\/span><\/p>\n MSIL\/FalseFont.A!dha<\/span><\/p>\n Here below, we have mentioned the IOCs that will help the organizations detect this sophisticated backdoor in their environment:-<\/span><\/p>\n . C2: Digitalcodecrafters[.]com<\/span><\/p>\n . SHA-256: 364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614<\/span><\/p>\n Cybersecurity researchers at the Microsoft Threat Intelligence team are actively continuing their ongoing investigations in an attempt to hunt down all the associated activity of Peach Sandstorm through Microsoft Defender XDR.<\/span><\/p>\n Mitigations<\/b><\/p>\n Here below we have mentioned all the mitigations provided by the cybersecurity researchers at the Microsoft Threat Intelligence team:-<\/span><\/p>\n Reset passwords for accounts targeted in a password spray attack, especially those with system-level permissions.<\/span><\/p>\n Revoke any changes to multifactor authentication (MFA) settings made by attackers on compromised accounts.<\/span><\/p>\n Implement Azure Security Benchmark and general best practices for identity infrastructure security.<\/span><\/p>\n Create conditional access policies based on defined criteria to control environment access.<\/span><\/p>\n Block legacy authentication with Microsoft Entra ID using Conditional Access to prevent password spray attacks.<\/span><\/p>\n Enable AD FS web application proxy extranet lockout to protect against password brute force compromise.<\/span><\/p>\n Practice the least privilege and audit privileged account activity in Microsoft Entra ID environments.<\/span><\/p>\n Deploy Microsoft Entra ID Connect Health for AD FS to capture failed attempts and IP addresses in logs.<\/span><\/p>\n Use Microsoft Entra ID password protection to detect and block weak passwords and variants.<\/span><\/p>\n Turn on identity protection in Microsoft Entra ID to monitor and create policies for risky sign-ins.<\/span><\/p>\n Employ MFA for privileged accounts and risk-based MFA for normal accounts to mitigate password spray attacks.<\/span><\/p>\n Consider transitioning to passwordless authentication methods like Azure MFA, certificates, or Windows Hello for Business.<\/span><\/p>\n Secure RDP or Windows Virtual Desktop endpoints with MFA to harden against attacks.<\/span><\/p>\n Treat AD FS servers as Tier 0 assets, protecting them with measures similar to domain controllers.<\/span><\/p>\n Practice credential hygiene, including logon restrictions and controls like Windows Firewall on easily compromised systems.<\/span><\/p>\n Consider migrating to Microsoft Entra ID authentication to reduce the risk of on-premises compromises.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":" Iranian Hackers Developed a New Backdoor to Hack Windows Peach Sandstorm, an Iranian Hackers group, targets diverse sectors globally, and this group is linked to:- APT33 Elfin Refined Kitten This nation-state group focuses primarily on the following sectors:- Aviation Construction Defense Education Energy Finance Healthcare Government Satellite Telecommunications In 2023, the group showed persistent interest …<\/p>\n","protected":false},"author":1,"featured_media":1384,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-1383","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology-trends-and-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/aqqute.com\/blog\/wp-json\/wp\/v2\/posts\/1383","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aqqute.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aqqute.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aqqute.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aqqute.com\/blog\/wp-json\/wp\/v2\/comments?post=1383"}],"version-history":[{"count":0,"href":"https:\/\/aqqute.com\/blog\/wp-json\/wp\/v2\/posts\/1383\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aqqute.com\/blog\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/aqqute.com\/blog\/wp-json\/wp\/v2\/media?parent=1383"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aqqute.com\/blog\/wp-json\/wp\/v2\/categories?post=1383"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aqqute.com\/blog\/wp-json\/wp\/v2\/tags?post=1383"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}