State-Aligned Actors Targeting SMBs Globally

Cyber Security Threat Summary:
“Proofpoint researchers have discovered that advanced persistent threat (APT) actors are increasingly targeting small and medium-sized businesses (SMBs), governments, militaries, and major corporations through compromised SMB infrastructure in phishing campaigns. These threat actors are also launching financially motivated attacks against SMB financial services firms and carrying out supply chain attacks affecting SMBs. Proofpoint emphasizes the tangible risk that APT actors pose to SMBs today through the compromise of their infrastructure. According to Proofpoint threat researcher Michael Raggi, phishing data indicates a growing trend of state-aligned cyberattacks targeting SMBs. APT actors recognize the value of targeting non-enterprise-scale organizations for the intelligence they can provide and the weaker links they represent in the supply chain. Proofpoint anticipates that SMB targeting will continue to rise throughout 2023, originating from APT actors across various geographies. One observed method of attack involves the impersonation or compromise of an SMB domain or email address, which may result from credential harvesting or the exploitation of unpatched vulnerabilities in web servers. Once compromised, threat actors use these email addresses to send malicious emails or abuse legitimate infrastructure to host or deliver malware to other targets. Proofpoint previously identified the group TA473, also known as Winter Vivern, using compromised SMB infrastructure in phishing campaigns. TA473 targeted various countries and organizations, including military, government, and diplomatic entities involved in repelling Russia's invasion of Ukraine. In another instance, TA422 (also known as APT28) launched a credential-harvesting phishing campaign targeting private email addresses in the United States and Ukraine. This campaign, attributed to Russian GRU-related organizations, spoofed a Middle Eastern entity to target organizations in the U.S. and Europe” (BankInfoSec).

Security Officer Comments:
“Financially motivated attacks by APT actors remain a persistent threat to the financial services sector. North Korean threat actors, in particular, are known for targeting financial institutions to steal funds and cryptocurrency. Supply chain attacks have also increased, with APT actors targeting vulnerable regional managed services providers (MSPs) to initiate attacks on SMBs. Regional MSPs, while protecting multiple SMBs, often have limited cybersecurity defenses that are easily exploited by APT actors. These actors target MSPs through phishing campaigns in specific geographies that align with their strategic collection requirements. For example, TA450 (also known as MuddyWater and attributed to Iran's Ministry of Intelligence and Security) targeted Israeli regional MSPs and IT support businesses through a phishing email campaign. The emails contained a link to a cloud hosting provider, leading victims to a Zip archive with a legitimate installer executable file for the remote administration tool Syncro. Once installed, threat actors can utilize Syncro as a remote access Trojan to conduct further intrusion activities” (BankInfoSec).

Suggested Correction(s):
Measures for SMBs include patching vulnerabilities promptly, educating employees about phishing threats, and conducting regular security assessments. Collaboration with MSPs for improved cybersecurity defenses is also recommended.

Link(s):
https://www.bankinfosecurity.com/state-aligned-actors-targeting-smbs-globally-a-22152