Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
A new backdoor, known as “FalseFont”, has been discovered and attributed to the Iranian hacking group Peach Sandstorm. As a Managed Service Provider (MSP) or mid-market company, you are under the spotlight as the FalseFont backdoor poses a significant threat to your networks.
If you’re part of a mid-market organization, with moderate revenue and employee size, your security resources might not be as extensive as those in larger enterprises, increasing your susceptibility to the impact of the FalseFont backdoor.
MSPs are a critical line of defense for their clients – more than 60% of businesses use an MSP for at least one operation.
Morten Kjaersgaard, Heimdal’s CEO
First, let’s explore who is behind this backdoor. After that, I’ll discuss ways you can protect yourself in the event of an attack.
Who is Peach Sandstorm?
Peach Sandstorm is a threat actor group believed to be based in Iran but has a global reach. The group has been active since at least 2013 and is known for its use of sophisticated cyberattacks against organizations in the defense, aerospace, energy, and other critical sectors in the United States, Europe, and Asia.
What is FalseFont backdoor?
FalseFont is a custom-built backdoor that Peach Sandstorm developed in 2023. It is malicious software that can be used to remotely control compromised Windows systems, steal data, download and execute files, or disrupt operations.
Below, we have mentioned the IOCs that will help you detect this sophisticated backdoor in your environment:
- C2: Digitalcodecrafters[.]com
- SHA-256: 364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614
How does the FalseFont backdoor infiltrate systems?
Target organizations can be compromised with the FalseFont backdoor through a variety of methods, including:
Spear-phishing emails
Embedded in emails that are sent to employees of targeted organizations. When the employees click on a link or open an attachment in the email, the backdoor is installed on their systems.
Supply chain attacks
It can be installed on systems by compromising the supply chain of software or hardware.
Zero-day exploits
It can be installed on systems by exploiting zero-day vulnerabilities in software or hardware. Zero-day vulnerabilities are vulnerabilities that are unknown to the software or hardware vendor.
Who is Most Vulnerable?
If you are a Managed Service Provider or mid-market organization, here is what you need to know:
MSPs and mid-market companies are at high risk due to their often-limited cybersecurity measures. Unlike larger enterprises, these organizations may not have the same level of expertise or resources to effectively protect their networks from sophisticated attacks like FalseFont.
For hackers, compromising an MSP is a strategic move, as it can provide access to a multitude of networks and sensitive information from various companies. Mid-market companies can be particularly vulnerable when their MSP is compromised, as they could face significant operational, financial, and reputational damage.
Effective measures for MSPs and Mid-Market Companies
You can protect yourself and your organization against the FalseFont backdoor and similar threats by implementing a layered security approach. This approach involves implementing multiple layers of security, each of which contributes to the overall defense. Some key components of a layered security approach include:
Network Security
Implement network security solutions that can block malicious traffic from entering your network. This includes firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS).
- Firewalls examine all incoming and outgoing traffic based on predetermined security rules and filter traffic based on these rules. This can include blocking certain websites, restricting traffic to certain ports, or preventing specific types of network traffic.
- An IDS monitors network traffic for suspicious activity and known threats, essentially serving as a second layer of security after the firewall. If a potential threat is detected, the IDS alerts network administrators.
- While an IDS primarily detects and alerts, an IPS takes it a step further by also taking preventive action against detected threats. An IPS actively monitors network traffic to block potential threats before they reach the network’s devices. It operates in line to actively prevent attacks in real time.
Endpoint Security
This includes antivirus, anti-malware, and endpoint detection and response (EDR) solutions. These tools are crucial for detecting and removing malware from compromised systems.
However, it’s important to note that effective endpoint security doesn’t rely solely on them. It also involves regular software updates, patch management, and educating users about safe computing practices to reduce the risk of malware infections.
Multi-factor authentication (MFA)
MFA is based on the principle that granting access based solely on a single factor, typically a password, is not secure enough. This method is highly effective in enhancing security by adding multiple layers of defense against unauthorized access.
Brute force attack (BFA) Protection
BFA Protection is a crucial security measure to defend against backdoor attacks, particularly those that attempt to gain unauthorized access by guessing passwords. Here’s how BFA protection works:
Limiting Login Attempts
If the system detects an unusual number of failed login attempts, it assumes a brute-force attack is being attempted. The account may then be locked for a certain period, or additional authentication may be required. This approach significantly slows down an attacker’s ability to try different password combinations.
Account Lockout Policies
Temporarily locking accounts after a certain number of failed login attempts. This not only prevents continuous password guessing but also alerts the legitimate user and system administrators to possible attack attempts.
Monitoring and Alerting
Implementing systems to monitor login attempts and alert administrators of suspicious activities can help in quickly identifying and mitigating brute-force attacks.
From the unified, intuitive Heimdal dashboard you can even choose to automatically block the RDP port on brute force detection. You also have the option to isolate an endpoint – in this case, all its external connections will be rerouted through the Heimdal systems.
Morten Kjaersgaard, Heimdal’s CEO
Security Awareness Trainings
Backdoor attacks often involve exploiting human vulnerabilities rather than technical flaws, making education and awareness among employees just as important.
Incident Response Plan
Since backdoor attacks can be particularly stealthy and damaging, an effective Incident Response Plan (IRP) is essential. Make sure you have a plan for responding to cybersecurity incidents if one occurs.
How Can Heimdal® Help
Heimdal offers a range of solutions that are specifically designed to help MSPs and mid-market companies protect themselves from FalseFont and other cyber threats. These solutions include:
- DNS Filtering
- Endpoint Isolation
- Brute Force Attack Prevention
Heimdal® is committed to providing personalized cybersecurity solutions to MSPs and mid-market companies. We have a team of experienced customer success representatives who can help you assess your security posture, develop a tailored security plan, and implement and manage your security solutions.
With over three years as a SOC Team Lead in the Heimdal MXDR department, Adelina is dedicated to sharing her knowledge and insights through her writing. Her articles and publications provide invaluable guidance on emerging trends, best practices, and effective strategies to combat cyber threats.
