Global Threat Landscape
Proofpoint has observed multiple major changes impacting the global threat landscape. This includes the shift away from macro-enabled documents, the increased use and availability of credential phishing kits that bypass multi-factor authentication (MFA), and efforts to build trust with targets by initiating benign conversations before sending content with a payload.
From mid-2022 into 2023, the threat landscape experienced one of the largest shifts in threat behaviors across threat actor designations due to Microsoft beginning to block macro-enabled attachments by default in its Office products. This change forced threat actors to adopt new mechanisms of malware delivery, including regularly modifying tactics, techniques, and procedures (TTPs) in campaigns as an attempt to evade detections, and using infrequently observed filetypes.
MFA is becoming a standard security practice and phish kits have evolved to steal these tokens and bypass MFA. Threat actors are using phish kits that leverage transparent reverse proxy, which enables them to conduct “attacker-in-the-middle” during a browser session and steal credentials and session cookies in real-time. Based on Proofpoint visibility, such kits are becoming more widely available.
Proofpoint has also observed an increase in telephone-oriented attack delivery (TOAD) threats, which use social engineering to prompt a recipient to phone a fake customer service representative, which leads to the installation of malware. Proofpoint currently observes hundreds of thousands of these threats per day.
Cybercrime Targeting Italy
Proofpoint researchers have observed multiple threat actors targeting Italian organizations for financial gain. Such actors leverage social engineering techniques including spoofing Italian government entities or purporting to be replies to existing conversations to trick users into trusting and engaging with the content.
Threat actors demonstrate many objectives for exploitation, including stealing data and taking over accounts, obtaining banking details to steal funds, or install follow-on malware including potentially ransomware. Such threats can have major financial impacts, with losses totaling millions of dollars.
Key findings from the attached PDF include:
- Actors across the threat landscape, including those targeting Italian users, are adopting new delivery methods and moving away from macro-enabled documents.
- Threat actors specifically targeting Italy in campaigns include TA550, TA551, TA544, TA554 and TA542
- Ursnif banking malware is the most frequently observed malware targeting Italian organizations.
- Proofpoint has observed actors spoof Italian government organizations related to financial, postal, and health services.
- Identified threats can enable data theft, reconnaissance, financial loss, and delivery of follow-on malware, including ransomware
To read more about threat actors targeting Italy, please download the full report here.