Monday, November 4, 2024
HomeCyber AttackAPT Hacker Group Attacking SMBs to Use Their Infrastructure

APT Hacker Group Attacking SMBs to Use Their Infrastructure

Published on

Malware protection

Proofpoint’s security researchers have identified indications of sophisticated threat actors focusing their attention on small and medium-sized enterprises and service providers operating within that particular ecosystem.

The researchers recently issued a cautionary message in their latest report regarding a collection of increasingly severe threats SMBs face. 

Researchers utilized Proofpoint Essentials telemetry, caging a vast range of more than 200,000+ small and medium businesses, to identify distinctive APT trends that present significant risks to SMBs worldwide.

- Advertisement - SIEM as a Service

Specifically, they highlight the risk posed by well-funded APT groups, as well as the alarming possibility of supply chain attacks originating from managed service providers that are compromised.

Proofpoint’s advisory carries significant concern, as it sheds light on the vulnerability of SMBs, which frequently operate without dedicated security teams, making them susceptible to malware attacks, similar to defenseless targets.

Persistent Threat Actor Groups

The researchers successfully detected numerous advanced persistent threat (APT) actors, exclusively focusing their attention on small and medium-sized businesses (SMBs), with a notable presence of threat actors affiliated with the national interests of the following countries:-

  • Russia
  • Iran
  • North Korea

Organizations prioritize network security by addressing business email compromise (BEC), cybercriminals, ransomware, and common malware found in the daily inflow of emails received globally.

Advanced persistent threat actors conduct targeted phishing campaigns associated with strategic missions, but, still their widespread understanding remains uncommon.

While the specific missions include:-

  • Espionage
  • Intellectual property theft
  • Destructive attacks
  • State-sponsored financial theft
  • Disinformation campaigns

Emerging APT Trends

Proofpoint researchers analyzing one year of APT campaign data have identified Russian, Iranian, and North Korean threat actors conducting phishing campaigns against SMBs, revealing three notable trends in attack types and tactics employed against these businesses.

Here below, we have mentioned those three notable trends:-

  • APTs exploit hacked SMB infrastructure for phishing attacks.
  • APTs target SMB financial services with state-aligned, financially motivated attacks.
  • APTs target SMBs for supply chain attacks.

The Exploitation of SMBs’ Infrastructure

In the past year, Proofpoint researchers noted an increase in instances where SMB domains or email addresses were impersonated or compromised, often through successful attacks on web servers or email accounts, either by harvesting credentials or exploiting unpatched vulnerabilities.

Upon achieving a successful compromise, the compromised email address was subsequently employed to transmit malicious emails to subsequent targets.

If a threat actor managed to compromise a web server hosting a domain, they would exploit the legitimacy of said infrastructure, utilizing it to host or distribute malicious malware toward a target unrelated to the initial compromise.

In a notable finding, Proofpoint researchers discovered that the APT actor TA473 (Winter Vivern) exploited compromised SMB infrastructure to conduct phishing campaigns aimed at US and European government entities between November 2022 and February 2023.

Government entities have fallen victim to email account compromises due to exploiting unpatched Zimbra webmail servers.

Not only has TA473 employed compromised small and medium business (SMB) infrastructure to send emails, but they have also utilized compromised SMB domains to distribute malicious malware payloads.

Apart from this, more threat actors groups like TA422 and TA499 actively exploited several SMBs.

By impersonating Ukrainian President Volodymyr Zelensky, TA499 attempted to lure a prominent American celebrity into a video conference call regarding the conflict in Ukraine.

State-aligned threat actors, particularly those associated with North Korea, pose an ongoing threat to the financial services sector by targeting institutions, decentralized finance, and blockchain technology in financially motivated attacks aimed at stealing funds and cryptocurrency, in addition to espionage, intellectual property theft, and destructive attacks.

Proofpoint identified a phishing campaign executed by the North Korea-aligned TA444, targeting a medium-sized digital banking institution in the United States, with the funds obtained likely being utilized to support various aspects of North Korea’s government operations.

Proofpoint’s recent publication highlighted TA444’s deceptive tactics, including impersonating ABF Capital in an email that contained a malicious URL, leading to the distribution of the CageyChameleon malware, showcasing their innovative approach during the latter half of 2022.

TA450’s focus on regional managed service providers (MSPs) in Israel suggests a consistent pattern in their geographic targeting, emphasizing their ongoing interest in exploiting supply chain attacks against vulnerable MSPs to gain access to downstream small and medium-sized business (SMB) users.

APT actors present a real threat to today’s small and medium businesses by compromising their infrastructure, engaging in state-aligned financial theft, and targeting regional MSP supply chains.

APT actors pose a real threat to SMBs today, targeting their infrastructure, conducting financial theft, and attacking MSP supply chains

This research aids business owners and regional MSPs in adopting agile email phishing protection, detecting targeted attacks, prevent spam, and effectively combating cybercrime threats.

Shut Down Phishing Attacks with Device Posture Security – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Threat Actors Allegedly Claiming Leak of Dell Partner Portal Data

A well-known dark web forum threat actor allegedly claimed responsibility for leaking data from...

Securing Your SaaS Application Security

The rapid growth of cloud computing has made SaaS applications indispensable across industries. While...

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actors Allegedly Claiming Leak of Dell Partner Portal Data

A well-known dark web forum threat actor allegedly claimed responsibility for leaking data from...

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...