APT Hacker Group Attacking SMBs to Use Their Infrastructure

Proofpoint’s security researchers have identified indications of sophisticated threat actors focusing their attention on small and medium-sized enterprises and service providers operating within that particular ecosystem.

The researchers recently issued a cautionary message in their latest report regarding a collection of increasingly severe threats SMBs face. 

Researchers utilized Proofpoint Essentials telemetry, caging a vast range of more than 200,000+ small and medium businesses, to identify distinctive APT trends that present significant risks to SMBs worldwide.

Specifically, they highlight the risk posed by well-funded APT groups, as well as the alarming possibility of supply chain attacks originating from managed service providers that are compromised.

Proofpoint’s advisory carries significant concern, as it sheds light on the vulnerability of SMBs, which frequently operate without dedicated security teams, making them susceptible to malware attacks, similar to defenseless targets.

Persistent Threat Actor Groups

The researchers successfully detected numerous advanced persistent threat (APT) actors, exclusively focusing their attention on small and medium-sized businesses (SMBs), with a notable presence of threat actors affiliated with the national interests of the following countries:-

Organizations prioritize network security by addressing business email compromise (BEC), cybercriminals, ransomware, and common malware found in the daily inflow of emails received globally.

Advanced persistent threat actors conduct targeted phishing campaigns associated with strategic missions, but, still their widespread understanding remains uncommon.

While the specific missions include:-

  • Espionage
  • Intellectual property theft
  • Destructive attacks
  • State-sponsored financial theft
  • Disinformation campaigns

Emerging APT Trends

Proofpoint researchers analyzing one year of APT campaign data have identified Russian, Iranian, and North Korean threat actors conducting phishing campaigns against SMBs, revealing three notable trends in attack types and tactics employed against these businesses.

Here below, we have mentioned those three notable trends:-

  • APTs exploit hacked SMB infrastructure for phishing attacks.
  • APTs target SMB financial services with state-aligned, financially motivated attacks.
  • APTs target SMBs for supply chain attacks.

The Exploitation of SMBs’ Infrastructure

In the past year, Proofpoint researchers noted an increase in instances where SMB domains or email addresses were impersonated or compromised, often through successful attacks on web servers or email accounts, either by harvesting credentials or exploiting unpatched vulnerabilities.

Upon achieving a successful compromise, the compromised email address was subsequently employed to transmit malicious emails to subsequent targets.

If a threat actor managed to compromise a web server hosting a domain, they would exploit the legitimacy of said infrastructure, utilizing it to host or distribute malicious malware toward a target unrelated to the initial compromise.

In a notable finding, Proofpoint researchers discovered that the APT actor TA473 (Winter Vivern) exploited compromised SMB infrastructure to conduct phishing campaigns aimed at US and European government entities between November 2022 and February 2023.

Government entities have fallen victim to email account compromises due to exploiting unpatched Zimbra webmail servers.

Not only has TA473 employed compromised small and medium business (SMB) infrastructure to send emails, but they have also utilized compromised SMB domains to distribute malicious malware payloads.

Apart from this, more threat actors groups like TA422 and TA499 actively exploited several SMBs.

By impersonating Ukrainian President Volodymyr Zelensky, TA499 attempted to lure a prominent American celebrity into a video conference call regarding the conflict in Ukraine.

State-aligned threat actors, particularly those associated with North Korea, pose an ongoing threat to the financial services sector by targeting institutions, decentralized finance, and blockchain technology in financially motivated attacks aimed at stealing funds and cryptocurrency, in addition to espionage, intellectual property theft, and destructive attacks.

Proofpoint identified a phishing campaign executed by the North Korea-aligned TA444, targeting a medium-sized digital banking institution in the United States, with the funds obtained likely being utilized to support various aspects of North Korea’s government operations.

Proofpoint’s recent publication highlighted TA444’s deceptive tactics, including impersonating ABF Capital in an email that contained a malicious URL, leading to the distribution of the CageyChameleon malware, showcasing their innovative approach during the latter half of 2022.

TA450’s focus on regional managed service providers (MSPs) in Israel suggests a consistent pattern in their geographic targeting, emphasizing their ongoing interest in exploiting supply chain attacks against vulnerable MSPs to gain access to downstream small and medium-sized business (SMB) users.

APT actors present a real threat to today’s small and medium businesses by compromising their infrastructure, engaging in state-aligned financial theft, and targeting regional MSP supply chains.

APT actors pose a real threat to SMBs today, targeting their infrastructure, conducting financial theft, and attacking MSP supply chains

This research aids business owners and regional MSPs in adopting agile email phishing protection, detecting targeted attacks, prevent spam, and effectively combating cybercrime threats.

Shut Down Phishing Attacks with Device Posture Security – Download Free E-Book

Source: gbhackers.com