Security researchers at Proofpoint have spotted signs of advanced threat actors targeting small- and medium-sized businesses and the service providers in that ecosystem.
In a new report, the researchers warned of a series of escalating threats to SMBs from well-resourced APT groups and called attention to the risk of supply chain attacks from compromised managed service providers.
The warning from Proofpoint is particularly distressing because small- and medium-sized businesses often lack dedicated security teams and are considered sitting ducks for malware attacks.
The company identified three prominent trends: compromised SMB infrastructure being used in malicious phishing campaigns, regional SMB targeting by state-affiliated actors for financial theft, and the targeting of regional Managed Service Providers (MSPs) for downstream supply chain attacks.
According to data examined by Proofpoint, the APT actors specifically targeting SMBs include threat actors aligned with the Russian, Iranian, and North Korean state interests.
“These skilled threat actors are well-funded entities associated with a particular strategic mission that can include espionage, intellectual property theft, destructive attacks, state-sponsored financial theft, and disinformation campaigns. While more rare and often much more targeted than cybercrime activity, Proofpoint data indicates that APT actors remain interested in SMB targets that align with their broader mandates,” the company said.
“This means that some of the most formidable cyber threat actors in the landscape maintain an interest in targeting businesses that are commonly under-protected against cyber security threats such as phishing campaigns,” Proofpoint added.
The report also flagged a noticeable trend of APT actors targeting regional MSPs to initiate and facilitate supply chain attacks.
“APT actors appear to have noticed this disparity between the levels of defense provided and the potential opportunities to gain access to desirable end user environments,” Proofpoint said, pointing to a notable case occurred early 2023 when TA450, attributed to Iran’s Ministry of Intelligence and Security, targeted two Israeli regional MSPs and IT support businesses via a phishing email campaign.
The data shows that Iranian-based APT groups are focused on targeting regional technology providers to gain access to downstream SMB users via supply chain attacks originating against vulnerable regional MSPs.
Related: Ransomware Attack Confirms MSPs Are Prime Targets
Related: Symantec: Chinese APT Group Targeting Global MSPs
Related: Chinese Hackers Spy on U.S. Law Firm, Major Norwegian MSP