Peach Sandstorm, an Iranian Hackers group, targets diverse sectors globally, and this group is linked to:-.
Using password spray campaigns, Peach Sandstorm exhibits opportunistic behavior, with a history of relying on this tactic.
This custom backdoor, FalseFont, provides the following capabilities to its operators:-.
This custom backdoor, FalseFont, was detected in early November 2023 during operations against its targets.
FalseFont's development aligns with Microsoft's year-long observation of Peach Sandstorm, indicating ongoing enhancement of their newly developed custom backdoor.
Here below, we have mentioned the IOCs that will help the organizations detect this sophisticated backdoor in their environment:-.
Cybersecurity researchers at the Microsoft Threat Intelligence team are actively continuing their ongoing investigations in an attempt to hunt down all the associated activity of Peach Sandstorm through Microsoft Defender XDR. Here below we have mentioned all the mitigations provided by the cybersecurity researchers at the Microsoft Threat Intelligence team:-.
Reset passwords for accounts targeted in a password spray attack, especially those with system-level permissions.
Revoke any changes to multifactor authentication settings made by attackers on compromised accounts.
Block legacy authentication with Microsoft Entra ID using Conditional Access to prevent password spray attacks.
Enable AD FS web application proxy extranet lockout to protect against password brute force compromise.
Practice the least privilege and audit privileged account activity in Microsoft Entra ID environments.
Deploy Microsoft Entra ID Connect Health for AD FS to capture failed attempts and IP addresses in logs.
Use Microsoft Entra ID password protection to detect and block weak passwords and variants.
Turn on identity protection in Microsoft Entra ID to monitor and create policies for risky sign-ins.
Employ MFA for privileged accounts and risk-based MFA for normal accounts to mitigate password spray attacks.
Consider transitioning to passwordless authentication methods like Azure MFA, certificates, or Windows Hello for Business.
Secure RDP or Windows Virtual Desktop endpoints with MFA to harden against attacks.
Practice credential hygiene, including logon restrictions and controls like Windows Firewall on easily compromised systems.
Consider migrating to Microsoft Entra ID authentication to reduce the risk of on-premises compromises.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 23 Dec 2023 10:10:30 +0000