Microsoft: Hackers Target Defense Firms With New FalseFont Malware

Cyber Threat Summary:
Yesterday, Microsoft posted a series of tweets on X (formerly known as Twitter) stating that it observed Iranian cyber-espionage group APT33 deploy a new backdoor dubbed FalseFont in attacks targeting organizations in the Defense Industrial Base (DIB) sector. According to the tech giant, FalseFont was first observed in attacks as early as November 2023. The backdoor comes with a wide range of functionalities that enable the actors to remotely access an infected system, launch additional files, and send information back to a C2 server controlled by the actors. To help organizations hunt for FalseFont in their environment, Microsoft has released a set of indicators and file hashes that can be found below:

Security Officer Comments:
The latest campaign showcases APT33’s continued interest in the US and other country’s organizations in the defense sector. In particular, the DIB sector compromises over 100,000 defense companies and subcontractors involved in researching and developing military weapons systems, subsystems, and components, making it a prime target for these actors whose motive is cyber espionage. The development of a new backdoor indicates that APT33 is working towards improving its toolkit to launch further successful attacks.

Suggested Correction(s):
It’s unclear how the new backdoor is being distributed. In the past, this group has exploited known vulnerabilities and deployed password-spraying attacks to gain initial access to victim environments. As such organizations should prioritize patching their systems, enabling multifactor authentication where possible, using unique/strong passwords, and rotating them on a regular basis.