Darktrace has identified an increasing number of cyber-attacks targeting law firms. Concerningly, the attacks are emerging not from opportunistic malware, like banking trojans, but threat actors who actively conduct cyber-intrusions, seeking to exfiltrate data from these organizations.
Perfect targets
Law firms are actively pursued because their systems contain the sensitive data of many other organizations. The essence of a lawyer’s work involves managing confidential client information. Firms are privy to a huge variety of valuable data, from tax affairs, to intellectual property. Consequently, law firms’ ability to protect highly-sensitive information is critical; a successful cyber-attack might cause reputational damage resulting in the diminishing of their most valuable asset – clients’ trust.
Further challenges
As an industry, law is structured around sharing revenues among a minimal number of highly qualified professionals. As such, they can rarely employ large IT teams – and even smaller IT security departments. With the increased number of attacks seen in recent years, as well as the added risks of the cloud, and the Internet of Things, security teams lack the capacity to defend their networks against the sophisticated, machine-speed attacks which characterize today’s threat landscape.
In addition, lawyers often have to research obscure or potentially illegal activities, while communicating and receiving files from third parties. This complicates any attempt to impose and regulate highly restrictive security policies, placing a significant burden on small, overstretched security teams.
Living off the land
Interestingly, the recent surge of targeted attacks against law firms is unified by the methods used. The attacks were all performed using publicly available tools, including: Mimikatz (for credentials dumping), Powershell Empire (for Command & Control communication), Dameware (additional C2/backdoor), and PsExec variants such as the Impacket Python variant of PsExec (for lateral movement).
Perhaps surprisingly, using generic methods against such high-level targets is actually beneficial to the attacker. Adopting mainly publicly available tools, rather than individually crafted malware, makes attribution much harder.
Although some of these tools, such as Mimikatz, have to be downloaded into the environment; the stealthiest, like Dameware or PsExec, are able to use the infrastructure within their environment. Known as ‘living off the land’, these tools are almost undetectable by traditional security approaches, as their malicious activity is designed to blend in with legitimate system administration work.
To read the full article click here