Iranian cyberspies target US defense orgs with a brand new backdoor

Also: International cops crackdown on credit card stealers and patch these critical vulns

Infosec in brief Iranian cyberspies are targeting defense industrial base organizations with a new backdoor called FalseFont, according to Microsoft.

In a series of Xeets posted Thursday, Redmond's threat intel team said it spotted a nation-state backed gang it calls Peach Sandstrom attempting to deliver the (presumably Windows) malware to defense-sector employees.

"FalseFont is a custom backdoor with a wide range of functionalities that allow operators to remotely access an infected system, launch additional files, and send information to its C2 servers," Microsoft said. "It was first observed being used against targets in early November 2023."

Mandiant, which tracks the Iran-backed crew as APT33, says it targets organizations in the US, Saudi Arabia and South Korea for "strategic cyberespionage," with a particular interest in both commercial and military aviation companies as well as those in the energy sector with ties to petrochemical production.

"We identified APT33 malware tied to an Iranian persona who may have been employed by the Iranian government to conduct cyber threat activity against its adversaries," the threat hunters said in an alert updated in October.

In research published a month earlier, Microsoft said it had seen the crew engaged in password spraying attempts against "thousands of organizations."

When these brute-force attacks were successful, Peach Sandstorm then used a combination of publicly available and custom tools for to snoop around on the network, maintain persistence and move laterally through the victim's IT systems, we're told. 

"In a small number of intrusions," Redmond added, "Peach Sandstorm was observed exfiltrating data from the compromised environment."

Hundreds of e-commerce sites compromised by card stealers

Cyber crooks compromised 443 online shops, using JavaScript-sniffers to steal these e-merchants' customers' credit card or payment information, according to Europol.

The coordinated effort to combat digital skimming attacks included cops from 17 countries, the European Union Agency for Cybersecurity (ENISA), and private-sector security shops Group-IB and Sansec.

Over the course of two months, the law enforcement agencies notified the online retailers that their customers' payment details had been stolen as part of the crooks' online fraud scheme.

In these attacks, thieves use snippets of JavaScript code to intercept customers' card data during the online checkout process without the retailers or customers realizing they've been compromised. They often go undetected for a long time — and by the time they are spotted, the crooks have already been on shopping sprees of their own, or put the financial info up for sale on illicit marketplaces. 

Countries participating in the Greece-led effort include Albania, Belgium, Bosnia and Herzegovina, Colombia, Croatia, Finland, Germany, Georgia, Hungary, Moldova, Netherlands, Poland, Romania, Spain, the United Kingdom and the United States.

During the operation, Group-IB's threat intelligence team identified 23 families of JS-sniffers, including ATMZOW, health_check, FirstKiss, FakeGA, AngryBeaver, Inter and R3nin, we're told. The security firm says, as of the end of 2023, there's 132 known JS-sniffer families that have been used to compromise websites across the globe.

Critical vulnerabilities of the week

We've got some end-of-the year critical vulnerabilities including at least one that's already been found and exploited in the wild. So before you sign off for the holiday break, get to patching. And pray for a Christmas miracle: No more zero-days in 2023.

Chrome bug under exploit — CVE-2023-7024: This one doesn't yet have a CVSS rating, but Google classified it as high severity, and warns that an exploit for this heap buffer overflow vulnerability in WebRTC is making the rounds. Reported by Clément Lecigne and Vlad Stolyarov of Google's Threat Analysis Group on 2023-12-19

Apple security updates — CVE-2023-42940 and more: Apple released security updates to address vulnerabilities in Safari, iOS, iPadOS, and macOS Sonoma, but only released details and a CVE for one of these. It's a session rendering issue in macOS Sonoma that could be exploited to steal sensitive information.

CVSS 9.8 — Multiple CVEs: Ivanti's Avalanche enterprise mobile device management product contains 12 memory corruption bugs that could be exploited by sending specially crafted data packets to the Mobile Device Server, resulting in denial of service  or remote  code execution.

CVSS 9.8 — Multiple CVEs: EuroTel ETL3100 radio transmitters, versions v01c01 and v01x37, are vulnerable to three bugs that could allow an attacker to gain full access to the system, disclose sensitive information. or access hidden resources.

CVSS 9.6 — Multiple CVEs: EFACEC BCU 500 control and automation devices are susceptible to uncontrolled resource consumption and cross-site request forgery flaws that could allow a denial-of-service condition or compromise the web application.

Russian infosec worker to be extradited to Moscow

Kazakhstan will reportedly extradite a network security specialist to Moscow, despite the US government's demand to send him to Washington.

The Eastern Bloc country detained Nikita Kislitsin, an employee of Russian infosec shop FACCT, on June 22 at the request of the US, which accused him of committing cyber crimes, according to a statement by his employer.

"According to the information we have, the claims against Kislitsin are not related to his work at FACCT, but are related to a case more than ten years ago when Nikita worked as a journalist and independent researcher," the statement said, presumably referring to his work as former editor of Hacker magazine.

The US extradition request seems to be related to earlier charges against Kislitsin, who is accused of breaking into the social networking service Formspring in 2012. 

A 2014 indictment [PDF] alleges that, after breaking and entering, Kislitsin stole usernames, email addresses, and passwords, and then tried to sell the stolen database for 5,000 euros a pop.

Shortly after the Feds demanded Kislitsin be extradited to America, Moscow came out with its own extradition request, which appears to have won the battle — at least according to the the General Prosecutor's Office of the Russian Federation.

On Thursday, the government agency said Kislitsin will be sent back to Russia where he will face criminal charges related to hacking. 

"According to the investigation, in October 2022, Kislitsin, together with his accomplices, unlawfully gained access to the server data of one of the commercial organizations," the general prosecutor's statement said. "After this, they were copied."

After allegedly stealing the org's data, Kislitsin then tried to extort the firm for $550,000 rubles in cryptocurrency. ®

More about


Send us news

Other stories you might like