In the ever-evolving landscape of cyber threats, nation-state hacking groups continue to pose significant challenges to global cybersecurity. Among these, Peach Sandstorm, an Iranian hackers group, has emerged as a formidable player with links to other notorious groups such as APT33, Elfin, and Refined Kitten. This nation-state collective has a broad target range, focusing on sectors critical to infrastructure and national security.
Peach Sandstorm’s strategic focus spans diverse sectors globally, including aviation, construction, defense, education, energy, finance, healthcare, government, satellite, and telecommunications. In 2023, the group has demonstrated a persistent interest in satellite, defense, and pharmaceutical sectors, hinting at a strategic shift in their cyber-espionage activities.
Peach Sandstorm employs opportunistic tactics, notably utilizing password spray campaigns. However, recent activities in 2023 reveal a departure from their historically noisy operations, showcasing a shift towards advanced cloud-based techniques. This evolution suggests a continuous effort to enhance their operational sophistication and evade detection.
A recent discovery by cybersecurity researchers at Microsoft Threat Intelligence uncovered a new custom backdoor named “FalseFont.” This sophisticated tool provides threat actors with remote access, file launching capabilities, and data transmission to Command and Control (C2) servers. Notably, this backdoor was detected in early November 2023 during Peach Sandstorm’s operations.
Microsoft Defender Antivirus Detection:
Microsoft Defender Antivirus, pre-embedded in Windows operating systems, has detected the FalseFont backdoor as “MSIL/FalseFont.A!dha.” The alignment of FalseFont’s development timeline with Microsoft’s year-long observation of Peach Sandstorm suggests ongoing efforts by the hacker group to enhance their cyber toolkit.
Indicators of Compromise (IOCs):
Organizations seeking to protect their environments from the FalseFont backdoor should be vigilant for the following IOCs:
- C2: Digitalcodecrafters[.]com
- SHA-256: 364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614
Ongoing Investigations and Mitigations:
Microsoft Threat Intelligence researchers are actively investigating Peach Sandstorm’s activities through Microsoft Defender XDR. To mitigate the threat, organizations are advised to implement several cybersecurity measures, including:
- Resetting passwords for accounts targeted in password spray attacks.
- Revoking any changes to multifactor authentication (MFA) settings made by attackers.
- Implementing Azure Security Benchmark and best practices for identity infrastructure security.
- Creating conditional access policies based on defined criteria to control environment access.
- Blocking legacy authentication with Microsoft Entra ID using Conditional Access.
- Enabling AD FS web application proxy extranet lockout to protect against password brute force compromise.
- Practicing the principle of least privilege and auditing privileged account activity.
- Deploying Microsoft Entra ID Connect Health for AD FS to capture failed attempts and IP addresses in logs.
- Using Microsoft Entra ID password protection to detect and block weak passwords.
- Turning on identity protection in Microsoft Entra ID to monitor and create policies for risky sign-ins.
- Employing MFA for privileged accounts and risk-based MFA for normal accounts.
- Considering transitioning to passwordless authentication methods like Azure MFA, certificates, or Windows Hello for Business.
- Securing RDP or Windows Virtual Desktop endpoints with MFA to harden against attacks.
- Treating AD FS servers as Tier 0 assets, protecting them with measures similar to domain controllers.
- Practicing credential hygiene, including logon restrictions and controls like Windows Firewall.
Peach Sandstorm’s activities underscore the need for continuous vigilance and proactive cybersecurity measures. Organizations must stay informed about evolving threat landscapes, leverage advanced security solutions, and adhere to best practices to defend against sophisticated nation-state hacking groups like Peach Sandstorm. The ongoing efforts of cybersecurity researchers and collaborative mitigation strategies are crucial in safeguarding critical infrastructure and sensitive information from these persistent threats.