Proofpoint analysts have identified phishing campaigns among some of the top trends in attacks targeting SMBs between 2022 and 2023. In fact, analysts have identified three main trends: the use of compromised companies’ infrastructure during phishing campaigns; the detection of local SMEs by state-sponsored entities for theft of money. Finally, the identification of regional MSPs (Managed Service Providers) vulnerable to phishing, thus favoring the risk of attacks on the supply chain of SMEs.
The landscape of APT actors
Proofpoint researchers conducted a retrospective analysis on affected SMBs from Q1 2022 to Q1 2023. Leveraging the telemetry of Proofpoint Essentials, which includes more than 200,000 small and medium business users, researchers were able to identify key trends in the APT player landscape. By examining this data, they identified a number of players targeting SMEs specifically, including APTs aligned with the Russian, Iranian and North Korean governments. This research highlights the threats faced today and provides their community with attack use cases from the past year.
The main phishing danger
Michael Raggi, Staff Threat Research Engineer di Proofpoint
Increasingly, Proofpoint’s phishing analyzes report data on SMEs targeted by cyber attacks sponsored from states. Actors of advanced persistent threats have realized the value of targeting even the smallest companies, both for the valuable information they can offer and for the possibility to more easily penetrate their supply chain. Proofpoint predicts that in 2023, SMEs will be even more frequently targeted by APT actors from all geographies.
Understanding APTs
Many organizations looking to secure their network often focus on business email compromise (BEC), cybercriminals, ransomware, and standard malware. Dangers commonly present in emails received every day by millions of users around the world. Less common and widespread is the understanding of APTs and their phishing campaigns.
The perpetrators of these threats are well-funded entities pursuing a particular strategic mission which may include espionage, theft of intellectual property, destructive attacks, financial theft supported by a state entity, and disinformation campaigns. While rarer and more targeted than common IT crime activities, Proofpoint’s data indicates that APTs continue to be interested in targeting SMBs that fall into the above fields and cases and may be less protected.
These are the emerging APT trends
By examining data from one year of APT campaigns, Proofpoint researchers identified Russian, Iranian and North Korean actors. Characters mainly interested in targeting SMEs through phishing campaigns. There are three main related trends that emerged during the Proofpoint research:
- APTs using compromised PMI infrastructure during their phishing campaigns;
- State-based APTs targeting SME financial services for direct economic return;
- APT targeting SMEs to launch supply chain attacks.
For the security of SMEs, phishing remains the main danger
Proofpoint researchers have observed more cases of impersonation or compromised PMI domains or email addresses in the last year, often from a server or email account. The attack can be the result of a credential harvesting or, in the case of a server, the exploitation of an unpatched vulnerability. Once compromised, the email address was used to send malicious emails to subsequent targets. If an actor compromised a server hosting a domain, he then abused this legitimate infrastructure to host or deliver malware to a third party target.
In the crosshairs US and European government bodies
Proofpoint researchers recently identified an example of compromised PMI infrastructure used by APT actor TA473 (referred to in open-source information as Winter Vivern) in phishing campaigns from November 2022 to February 2023. These operations targeted government entities US and European. In March 2023, Proofpoint has published details on emails transmitted by TA473 via compromised email addresses. In several cases, they came from WordPress-hosted domains that may have been unpatched or insecure at the time of the compromise. Additionally, Zimbra’s unpatched webmail servers have been exploited to compromise government accounts. TA473 also used small and medium business domains to distribute malware payloads.
The case of TA499
Finally, the researchers observed one case of impersonation in May 2022. When TA499 (also known as Vovan and Lexus, figures hand-picked by threat actors), based in Russia, backed by the Russian state itself and operating through fake participation in pro-Ukraine video conferences, targeted a medium-sized company. Company representing prominent celebrities in the United States. TA499 tried to lure a prominent American figure into a video conference on the conflict in Ukraine by posing as Ukrainian President Volodymyr Zelensky. Proofpoint was able to attribute this campaign to TA499 based on a set of actor-controlled email addresses and domains that the group consistently used throughout 2022.
There are many cyber dangers, but phishing remains the main danger
In addition to espionage, intellectual property theft and destructive attacks, background attacks financial by state-based actors remain a persistent threat to the financial services sector. In past years, APTs close to North Korea have targeted financial services institutions, decentralized finance and blockchain technology. The goal is to steal funds and cryptocurrencies, mostly used to finance various aspects of North Korea’s government operations.
Increasing attacks against regional providers
The latest emerging trend observed between 2022 and 2023 is the increase in the number of APT attacks targeting vulnerable regional Managed Service Providers (MSPs) to make them a vector for supply chain attacks. Regional MSPs often protect hundreds of local SMBs, many with limited, non-enterprise-grade security measures. As a result, Proofpoint has observed several instances of regional MSPs being targeted in phishing campaigns within geographies that align with the strategic objectives of APT players.
Phishing is the biggest security threat to SMEs
In mid-January 2023, Proofpoint researchers observed that TA450, known publicly as Muddywater and attributed to the Iranian Ministry of Intelligence and Security, targeted two Israeli regional MSPs and IT support companies via a phishing campaign. Targeting regional MSPs in Israel is in line with TA450’s historical geographic focus. Additionally, this recent campaign indicates that TA450 continues its interest in targeting regional technology vendors in order to access SMB users through attacks on the supply chain of vulnerable regional MSPs.
Focus not only on SMEs
An increasingly complex APT phishing landscape indicates at a glance that threat actors are increasingly looking to target regional SMBs and MSPs. Proofpoint data from the last year indicates that several nations and known APT threat actors are closing in concentrating on small and medium-sized businesses, as well as governments, the military and major corporations. Through compromising the infrastructure of small and medium-sized businesses to subsequently strike secondary targets, state-sponsored financial theft, and attacks on the supply chain of regional MSPs, APT actors pose a tangible risk to SMBs.