It’s Time to Sound the Alarm on SMB Cyber Threats

There’s an unnerving secret many of us in cybersecurity have noticed. And if you think your company is “too small” to be worried about a potential attack, think again.

As it turns out, small and medium-sized businesses (SMBs) are a new playground for creative adversaries to hone the skills they need before attacking more lucrative, larger enterprises. It’s time the cybersecurity community got the word out: the tides have officially turned.

SMBs may have once assumed themselves “too small” to attract attackers’ attention. But today, SMBs are increasingly attracting adversaries as an ideal testbed environment on their way to larger, more destructive attacks. And disturbingly, SMBs just stand to lose more in a cyber attack:

Some 83% of SMBs are not prepared to recover¹ from the financial damages of a cyber attack

Only 14% of SMBs reported feeling that their cyber attack and risk mitigation plans were highly effective²

Around 43% of SMBs do not have any cybersecurity plan in place and 52% don’t have any IT security experts in-house³

Proof points on the evolving tactics, techniques, and procedures (TTPs) used against these companies are becoming easier to find. And while cyber threats bring a unique level of uncertainty to the SMB segment, one thing is for sure. The SMB segment represents the ideal environment for getting new TTPs “over the threshold” to become effective in larger enterprise environments.

A Low Bar to Entry

There are a lot of reasons that even small businesses can attract attackers. SMBs may fall below the ideal seat count, budgetary zone, or other parameters for leading cybersecurity solutions or services, leaving them especially susceptible to threats a larger enterprise may be capable of quashing. What’s more, SMBs often lack in-house expertise or strong planning for a response.

In industries from manufacturing to healthcare, this SMB threat is playing out before our eyes in headlines and offices across the country. One example we’ve seen in Huntress research revolves around industrial manufacturing—particularly government contractors, often so small they may only have 5-10 employees. When a government contractor bids on and secures contracts in that space, it is publicly available information and can draw the eye of threat actors. If an attacker can use legitimate tools like remote monitoring and management (RMM) software, a trend we noticed in 2023 at Huntress, they can be hidden in such an SMB’s system and ready to unleash chaos at a moment’s notice.

With smaller businesses and smaller budgets for hardening systems against attackers, threat actors see the ideal “easy prey” they’re looking for to leverage legitimate tools, remain hidden, and build their campaigns before deploying in larger enterprises. Whether by using a ScreenConnect vulnerability like we saw plaguing businesses in early 2024 or other tools like Cobalt Strike, it’s clear that SMBs must be on the watch for malicious entities operating within their legitimate systems and tools.

Use, Discard. Rinse, Repeat.

What’s so frustrating for teams like the one I lead at Huntress, is how SMBs are targeted and sustain widespread financial and reputational damage. Then, just as quickly as the threat arrives, it may move on to larger enterprises who stand a much better chance of surviving the attack. We’ve seen this pattern take place in smaller healthcare settings, another prime target Huntress observed malicious threats plaguing in 2023 and into 2024.

In the February 2024 hack of Change Healthcare, a smaller subsidiary of healthcare giant UnitedHealth, a lack of basic security controls⁴ led to the disruption of healthcare systems across the country. And it began in the same place many SMB attacks do: a lack of good security controls, and not enough expertise to know where they were lacking. Change Healthcare’s technology—which is used to process billions of insurance claims each year—was taken down in a ransomware attack that happened simply due to a lack of multifactor authentication (MFA), a basic security control that enhances endpoint security⁵.

At Huntress we have seen some variants of malware and ransomware popping up that are newer or even homemade. And SMBs, especially in healthcare, are an ideal place to try these variants out. For one thing, these SMBs are an easy target to exploit, sometimes as small as a single physician’s office or a smaller chain of dental offices. And once threat actors gain a foothold in that environment, thanks to HIPAA and other requirements, those targets are more likely to give into demands and pay a ransom—leaving the attacker to skip off to their next target.

In 2023, attackers exploited known vulnerabilities early on, such as MOVEIt⁶, 3CX, and ScreenConnect. And very often, they used SMBs as the “sandbox” to try out their tricks before moving onto the enterprise arena. And so, the old cycle of use/discard continues as attackers try out TTPs on SMBs like small healthcare offices and then move on to bigger, greener pastures.

And left in the wake? The vulnerable SMBs trying to move forward from a breach.

Arming SMBs to Fight Back

For SMBs who want to get ahead of the growing threat against them, now is the time to embrace and adopt proven security controls and build endpoint security like never before. As endpoints act as the gateway to an organization’s digital environment, 70% of breaches start here⁷. Some useful strategies to help SMBs build better endpoint security and proactively fight threats:

• Implement an asset management tool to help you keep track of all of your endpoints and prioritize security measures for the most critical ones in your infrastructure.
• Embrace auto-patching and make sure systems are regularly updated through a proactive patch management strategy.
• Immediately implement MFA if it’s not already in place across your devices and programs/tools.
• Use role-based access controls to align permissions and job responsibilities, performing regular audits to ensure your security is aligned to the principle of least privilege.
• Look at endpoint detection and response (EDR) solutions to help your SMB gain real-time insight and alerts that will empower a stronger response against threats.

SMBs should also be mindful of changes resulting from work-from-home shifts, with more exploits happening thanks to multiple devices on a home network, improperly configured (or just plain old and unsecured) home routers, and personal use of business-owned devices and systems. Proactive SMBs should consider cyber awareness training for their team to build vigilance and knowledge ahead of the threat.

Finally, if an SMB hopes to successfully defend against the fray of attackers they’re now vulnerable to, it’s time to build a comprehensive security plan to defend your endpoints. And if you’re not ready to do that or don’t have the in-house talent to achieve that goal, it may be a great time to bring in an MSP or similar partner to help you achieve the security you need in order to keep your business healthy for the long term.

In 2023, the team at Huntress saw clearly that SMBs are and will continue to be an ideal sandbox environment for hackers, simultaneously vulnerable and valuable as a space to develop and test new TTPs. In 2024, it’s time to acknowledge that threat, arm SMBs against it, and ensure that in 2025, those businesses are still healthy and operational.

To read more about unique TTPs being leveraged against SMBs, read the Huntress 2024 Cyber Threat Report

About the Author

Jamie Levy is the Director of Adversary Tactics at Huntress. She is also a researcher, developer and board member of the Volatility Foundation. She has worked over 15 years in the digital forensics industry, conducting investigations as well as building out software solutions. Jamie is also a co-author of The Art of Memory Forensics, the first book of its kind covering various facets of how to investigate RAM artifacts. Jamie can be reached at our company website here: https://www.huntress.com/.