On March 24, 2023, Proofpoint released their report, “Account Compromise, Financial Theft, and Supply Chain Attacks: Analyzing the Small and Medium Business APT Phishing Landscape in 2023.”
Context
The report provides insight into key trends in the increasing prevalence of sophisticated advanced persistent threats (APTs) targeting small and medium-sized businesses (SMBs).
Key Takeaways
Key points of the report include:
- “APT actors using compromised SMB infrastructure in phishing campaigns.
- APT actors engaging in targeted state aligned financially motivated attacks against SMB financial services.
- APT actors targeting SMBs to initiate supply chain attacks.”
Prominent Incidents
The Proofpoint report identifies multiple specific examples of each key takeaway, including:
- “Compromised SMB infrastructure being utilized by the APT actor TA473 (referred to in open-source intelligence as Winter Vivern) in phishing campaigns from November 2022 through February 2023.
- A prominent case of APT impersonation in May 2022 when TA499 (also known as Vovan and Lexus, which are personas selected by the threat actors), a Russia-based and state encouraged actor who solicits politically themed video conference calls from prominent pro-Ukraine figures, targeted a medium-sized business that represents major celebrity talent in the United States.
- A medium-sized digital banking institution in the United States receive a phishing campaign from the North Korea-aligned TA444. The email utilized an email sender address that impersonated ABF Capital to deliver a malicious URL that prompted an infection chain leading to the delivery of the CageyChameleon malware.
- TA450—publicly known as Muddywater and attributed to Iran’s Ministry of Intelligence and Security—targeting two Israeli regional MSPs and IT support businesses via a phishing email campaign.”
Community Perspective
RH-ISAC data corroborates the increased prevalence of phishing in the first half of 2023, including against SMBs. For instance, in the most recent Intel Trends Summary, phishing emerged as the most common threat at 55%, up from 31% as the second-most prominent threat from the prior reporting period. In addition, some lures reported in the Proofpoint examples, such as the salary adjustment rule used in the TA444 campaign, are similar or nearly identical to lures reported by RH-ISAC member analysts.