April 26, 2021
The Threat to European Law Firms Continues to Grow
Law firms and the professional services sector are prime targets for cyber threats due to the volume of payments they process or the type of information they hold on behalf of their clients. These firms not only hold very sensitive information, they are also a potential threat to the companies and individuals they represent when they form part of the payment processing chain on key financial transactions.
Many International law firms host data on behalf of their clients for e-discovery purposes. This often means they are hosting (or using third parties to host) terabytes of unstructured data and metadata in a structured format, to support litigation, disclosure and regulatory proceedings. In recent years, these solutions have moved to the cloud, in AWS or Azure. Security of these solutions has become paramount, especially due to the remote working requirements over the past year and the new working from home paradigm.
Often law firms can be a weak link in the supply chain and there have been a number of cases where clients have been attacked through their lawyers. Some recent examples include:
- In February this year, an international law firm was exposed to an attack, as part of a vulnerbility of their Accellion platform – a secure file sharing facility, that is used to transfer and share documents.
- In October last year, a U.S. law firm suffered a data breach which compromised the personal information they were holding for current and former employees of a major social media giant.
- In recent weeks, attackers have been taking advantage of the MS email exchange server vulnerabilities
Therefore, overall, law firms have a lot to be thinking about when trying to keep their clients data and information secure and need to employ rigerous cyber due diligence processes to keep their clients data safe and secure.
In the United Kingdom, law firms have moved at pace towards obtaining the National Cyber Security Centre (NCSC) supported Cyber Essentials credential as a baseline whilst many firms have progressed onto and attained the independently assessed Cyber Essentials Plus certification. In 2018, the NCSC published a guide to better security within lawfirms in conjuction with the Law Society. Whilst this is clearly a step in the right direction there is always more to be done with some surveys recognising that many UK firms need to get cyber security basics right.
Early research in 2018 by Red Shift identified 84% of UK law firms were vulnerable and remain the biggest threat to a £26 billion industry. The question is whether this situation has changed?
At the time, the study examining the security practices of law firms identified only 16% of the top 95 law firms in the UK had sufficient measures in place to fully protect against email fraud and phishing represened 93% of breaches in 2018. Even at this early stage, this revelation served as a stark warning to law firms in the possession of the strictest of confidential consumer information or involvement in processing payments to remain vigilent.
In 2020, ransomware was one of the most popular cyber-attack methods that cybercriminals used to target the legal sector. In a typical ransomware attack, an organisation’s network is penetrated by attackers ,this is often carried out through sending a phishing email which immitates a legimate email designed to steal information or deliver malware payloads. Phishing was used as a successful method for deploying cripping malware such as Emotet and the root cause of several ransomware threat actor group attacks
This year, the picture has not changed dramatically. A recent survey published in February 2021 on law.com International highlighted that there is still room for improvement. Last year in May 2020, it was reported that sensitive information uploaded by law firms was left “exposed” on an open database platform used by many in the industry.
The recent Microsoft Exchange Server zero-day vulnerability, Solar Winds supply chain attack and Accellion breach serve as a stark warning to all for the need to be ever more vigilant. Several law firms were impacted by breaches. Standing still is not an option.
Last year also saw examples of law firms’ information being released as part of the Luanda Leaks – an investigation into how Africa’s richest woman, Isabel dos Santos, acquired her fortune – while in May 2020, a leading New York entertainment law firm was hit by a ransomware attack. In October 2020, several U.S. law firms disclosed security incidents, including a malware attack, that put clients’ sensitive information at risk.
In addition to law firms being attacked, according to Law 360, members of the bar themselves are beingtargeted, such as Washington State, New York State, Los Angeles County, Pennsylvania and Chicago barassociations. This pattern may well continue into Europe in 2021 and beyond.
In 2020, a third party company used by UK law firms to complete digital legal forms suffered a data breach resulting in the exposure of sensitive data relating to legal documents involving Companies House, HM Land Registry. In all, some 193 UK legal firms were impacted. This highlights the risk exposure to legal firms outsourcing services to third parties.
A recent matter in the U.S. involved a U.S. law firm that offers employment verification compliance services to Google in the United States; it suffered unauthorised access into its computer systems in September that resulted in hackers accessing the personal information of present and former Google employees. Law firms unaware that a supplier/third party has been breached whilst maintaining privileged access is not uncommon.
There have been millions of threats targeting the legal sector: these threats were not only high-volume and constant, amounting to hundreds of thousands of attempted attacks against law firms daily; they were also highly targeted, as evidenced by numerous engagements with threat actors on the deep and dark web.
Threat actors steal and abuse credentials; probe for network vulnerabilities; use anonymising tools and proxies; and make use of persistent, advanced tactics to ‘crack’ global law firms.
There has been non-trivial evidence of compromise at law firms of all sizes, including the largest and most sophisticated global firms.
The attacks came in many forms, including the criminal pursuit of sensitive financial information, ransomware, password breaches and leaks, and ‘hacktivism’.
Research by Ankua conducted into specialist hacking forums hosted on the dark web found threat actors actively pooling their resources and trading information, data, and techniques in furtherance of organised cyber criminality. Threat actors on one Russian language cybercrime forum – where threat actors auction malware, stolen data, and other illicit digital goods -, were actively seeking access to European law firms and offering network access to an already compromised U.S. law firm. Law firms were also sources of private identity information traded on these dark web sites.
Our dark web analysis highlights the value placed upon law firms and the data they hold by cyber-criminals, whether their motivations be state-sponsored, hacktivism or in furtherance of organised crime.
Key Considerations for a Persistent Threat (DeathStalker Threat Actor)
Last year over the summer, reporting shone a light on a little-known but long-established cyber espionage group targeting law firms with a phishing campaign across Europe and the Middle East. Ankura has leveraged our own threat intelligence functions to complement existing reporting.
Named DeathStalker but formally knowns as ‘The Deceptikons’, this APT group is believed to have been operating a ‘mercenary as a service’ offering for their clients. The group is not technically sophisticated, with as yet, no known links to zero-day exploits; yet the ‘DeathStalker’ infrastructure and malware set is clever and highly persistent.
The ‘DeathStalker’ APT group repeatedly targets commercial and non-governmental organisations seeking to obtain law firms’ clientele credentials, financial information, and details of negotiations with potential privacy implications for those impacted.
Most attacks follow a similar pattern, beginning with a spear-phishing email carrying a malicious modified LNK (shortcut) file that, when downloaded, runs a PowerShell-based backdoor trojan.
In 2019, ‘The DeathStalker’ was known to have spear-phished European law firms, deploying PowerShell scripts. As in previous campaigns, the actor used modified LNK files requiring user interaction to initially compromise systems and execute a PowerShell backdoor.
Recent reports indicate the DeathStalker APT has developed a new malware variant ‘PowerPepper’. This malware is a Windows in Memory Powershell that executes remotely sent shell commands. As in previous campaigns, this implant is delivered via a spear-phishing email. It is noted for its anti-analysis and detection capabilities. (Indicators of compromise are included in Appendix A).
Despite the recent reporting on this threat group, little detail is known about their, structure, and finances. They are known to have targeted organisations in China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the UK, and the United Arab Emirates.
Getting “Beyond the Basics” – Recommendations to Protect Against Bad Actors
- Carry out risk assessments of your security, infrastructure and controls across people, process and technology to assess where potential gaps exist and exposures lie that could lead to successful data exfiltration, business email compromise or ransomware cyber attacks.
- Assess your cloud environment to identify vulnerabilities and detect normal / suspicious activities.
- Review if any data exists or has been leaked on the dark web or open forums regarding your company and intellectual property using threat intelligence.
- Deliver customised training to raise awareness of common phishing / spear phishing techniques.
- If you have a network intrusion system, assess any network intrusion activity on a regular basis. Network intrusion prevention systems are designed to scan and remove malicious downloads and can be used in a ‘sandbox’ environment to block malicious activity.
- Block unknown web content and unused files by default – these should not be downloaded by policy from suspicious sites – preventing vectors, such as .scr, .exe, .pif, .cpl, etc. Use solutions that open and analyse compressed / encrypted formats ( g., zip and rar) used to conceal malicious files.
- Review your data inventory to understand where sensitive information resides across your organisation and ensure there are appropriate safeguards in place.
- Deploy endpoint monitoring to provide an additional layer of security beyond anti-virus controls to detect and mitigate suspicious activities on your workstations and servers.
- Enable multi-factor authentication to reduce the risks associated with credential attacks.
- Develop robust backup and recovery procedures, separate from your domain to mitigate and recover following an attack.
- Implement a “defence-in-depth” cyber security strategy that relies on multiple security controls.
- Apply appropriate levels of data security protection using encryption, data minimalization, and role-based access control to limit exposure to cyber attacks from within.
- Strengthen your external remote access connections for VPN’s, Remote Desktop Services, VTI’s using regular patch management, multi factor authentication, encryption and segmentation.
- Leverage threat intelligence to better understand, manage and pre-empt threats (refer to appendix for specific indicators of compromise (IOCs) for DeathStalker)
APPENDIX A – DEATHSTALKER IOC’s
|IOC File Hashes||Description|
|E132C596857892AC41249B90EA6934C1||PowerSing Stage 1|
|9A0F56CDACCE40D7039923551EAB241B||PowerSing Stage 1|
|0CEBEB05362C0A5665E7320431CD115A||PowerSing Stage 1|
|C5416D454C4A2926CA6128E895224981||PowerSing Stage 1|
|DBD966532772DC518D818A3AB6830DA9||PowerSing Stage 1|
|B7BBA5E70DC7362AA00910443FB6CD58||PowerSing Stage 1|
|2BE3E8024D5DD4EB9F7ED45E4393992D||PowerSing Stage 1|
|83D5A68BE66A66A5AB27E309D6D6ECD1||PowerSing Stage 1|
|50D763EFC1BE165B7DB3AB5D00FFACD8||PowerSing Stage 1|
* Web site references for file hashes from Kaspersky Threat Intelligence Portal (https://opentip.kaspersky.com/)
|IOC – FILE PATH||Description|
|%PROGRAMDATA%\Support\licenseverification.vbs||Malicious VBS Loader|
|%PROGRAMDATA%\Support\licenseverify.vbs||Malicious VBS Loader|
|%PROGRAMDATA%\MyPrinter\NewFile.vbs||Malicious VBS Loader|
|%PROGRAMDATA%\Printers\NewFile.vbs||Malicious VBS Loader|
|%APPDATA %\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk||Malicious startup launcher LNK|
|%PROGRAMDATA%\MyPrinter\Web.lnk||Malicious startup launcher LNK|
|%PROGRAMDATA%\Printers\Web.lnk||Malicious startup launcher LNK|
|%APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\StartPrinter.url||Malicious startup launcher URL|
Domain and IPs
|IOC – DOMAIN NAMES||Description|
|allmedicalpro[.]com||PowerPepper C2 domain name|
|mediqhealthcare[.]com||PowerPepper C2 domain name|
|gofinancesolutions[.]com||PowerPepper C2 domain name|
|mailsigning.pythonanywhere[.]com||PowerPepper Signaling hostname (legitimate host and root domain)|
|mailsignature.pythonanywhere[.]com||PowerPepper Signaling hostname (legitimate host and root domain)|
|mailservice.pythonanywhere[.]com||PowerPepper Signaling hostname (legitimate host and root domain)|
|mailservices.pythonanywhere[.]com||PowerPepper Signaling hostname (legitimate host and root domain)|
|footersig.pythonanywhere[.]com||PowerPepper Signaling hostname (legitimate host and root domain)|
|8globalsignature.pythonanywhere[.]com||PowerPepper Signaling hostname (legitimate host and root domain)|
|IOC – URLS and Emails||Description|
|hxxps://www.gsn-nettoyage[.]com/wp-snapshots/btoken.php||PowerPepper Signaling hostname (legitimate but compromised website)|
hxxps://www.gsn-nettoyage[.]com/wp-snapshots/Quote 16 db room.docx
|Malicious documents download location (legitimate but compromised website)|
|hxxps://outlookusers.page[.]link/||Malicious documents download location (legitimate host and root domain)|
|hxxps://1drv[.]ws/w/s!AvXRHBXCKmvYdifkocKujNavvjY?e=hhuBV8||Malicious document remote location (legitimate host and root domain)|
|hxxps://1drv[.]ws/w/s!AvXRHBXCKmvYdcbz1YwTJRkOxP4?e=u5wtbX||Malicious document remote location (legitimate host and root domain)|
|hxxps://1drv[.]ws/w/s!AvXRHBXCKmvYd1921tVEMKWaCUs?e=MyoVNF||Malicious document remote location (legitimate host and root domain)|
|hxxps://1drv[.]ws /w/s!AvXRHBXCKmvYeFdjVtZN0Quljs4?e=dnA6GG||Malicious document remote location (legitimate host and root domain)|
|hxxps://1drv[.]ws/w/s!AvXRHBXCKmvYeePNerfsAWK0qVY?e=e4SsYM||Malicious document remote location (legitimate host and root domain)|
|hxxps://1drv[.]ws/w/s!AvXRHBXCKmvYejBpdekg1WUCM9M?e=UkhU10||Malicious document remote location (legitimate host and root domain)|
|hxxps://1drv[.]ws/w/s!AvXRHBXCKmvYe1ulhtazjNVvCqY?e=WptVTC||Malicious document remote location (legitimate host and root domain)|
|a.christy_inbox@outlook[.]com||Suspected malicious spear-phishing email sender (legitimate root domain)|
“Cyber Risk Advisory Emerging threats to European Law Firms,” Ankura Consulting; Gross, Tanya; Rubin, Ryan; Collins, Catherine; McKay, Gavin.