On March 24, 2023, Proofpoint released their report, “Account Compromise, Financial Theft, and Supply Chain Attacks: Analyzing the Small and Medium Business APT Phishing Landscape in 2023.”
Context
The report provides insight into key trends in the increasing prevalence of sophisticated advanced persistent threats (APTs) targeting small and medium-sized businesses (SMBs).Key Takeaways
Key points of the report include:- “APT actors using compromised SMB infrastructure in phishing campaigns.
- APT actors engaging in targeted state aligned financially motivated attacks against SMB financial services.
- APT actors targeting SMBs to initiate supply chain attacks.”
Prominent Incidents
The Proofpoint report identifies multiple specific examples of each key takeaway, including:- “Compromised SMB infrastructure being utilized by the APT actor TA473 (referred to in open-source intelligence as Winter Vivern) in phishing campaigns from November 2022 through February 2023.
- A prominent case of APT impersonation in May 2022 when TA499 (also known as Vovan and Lexus, which are personas selected by the threat actors), a Russia-based and state encouraged actor who solicits politically themed video conference calls from prominent pro-Ukraine figures, targeted a medium-sized business that represents major celebrity talent in the United States.
- A medium-sized digital banking institution in the United States receive a phishing campaign from the North Korea-aligned TA444. The email utilized an email sender address that impersonated ABF Capital to deliver a malicious URL that prompted an infection chain leading to the delivery of the CageyChameleon malware.
- TA450—publicly known as Muddywater and attributed to Iran’s Ministry of Intelligence and Security—targeting two Israeli regional MSPs and IT support businesses via a phishing email campaign.”
