At QOMPLX we're often called on to help companies assess their vulnerability to sophisticated cyber attacks. In recent years, that has included work with a growing number of global law firms, where QOMPLX technologies like our Identity Assurance and Privilege Assurance products and Q:SCAN help spot and manage cyber risk.
You might not think of law firms as top targets for cyber criminals, but they surely are. True, law firms don't sport the massive IT footprints of healthcare organizations or financial services firms. They don’t serve millions of customers like big box retailers. However, they are rich targets holding highly sensitive data, communications, financial information and intellectual property on behalf of their clients. More and more, that kind of data is of interest to both cyber criminal groups and nation-state actors.
Recent reports that the law firm Jones Day was a victim of a damaging supply chain attack just hammer that point home and also highlight the growing risk landscape for law firms.
Jones Day is the fifth largest law firm in the U.S., with more than 2,500 attorneys and $2 billion in revenue. According to published reports, it was the victim of a supply chain attack on the FTA file transfer software by the firm Accellion. It was among a group of companies who had sensitive data posted to _CL0P^_-LEAKS, a “dox” website run by the Clop ransomware gang containing data stolen from the group’s victims, often as a way to compel payment of its ransom.
The firm joined a number of other companies as victims of the Clop ransomware attack, including SingTel, the Singapore-based telecommunications firm, technology firm Danaher and the U.S. retailer Kroger. It also wasn’t the only law firm. The Australian firm Allens also had client data stolen in the attack, according to reports. (As of Tuesday, Jones Day’s name and data had been removed from the _CL0P^_-LEAKS site, suggesting some development in the ransomware attack.)
At the root of this incident is Accellion’s FTA product, a secure file transfer application variously described as a “legacy” product and a 20 year-old product “nearing the end of its life.” An analysis by the firm Mandiant/FireEye found that the attackers leveraged no fewer than four “zero day” software vulnerabilities in their attack, including previously undiscovered SQL injection and server side request forgery (SSRF) flaws.
Mandiant pinned the blame for the attacks on separate malicious actors. The initial compromise was attributed to a threat actor with the label UNC2546, and the subsequent extortion activity to a group known as UNC2582. Mandiant said both groups played a role in prior cyber operations by a group it calls “FIN11,” an active and financially motivated hacking group that is known to rely on sophisticated phishing email campaigns and to conduct high-volume ransomware and extortion operations involving - lately - the CL0P ransomware.
According to a statement by Accellion, multiple FTA customers who have been attacked by UNC2546 have received extortion emails threatening to publish stolen data on the “CL0P^_- LEAKS" .onion website.
Wake-Up Call for Law Firms
The incident should be a wake up call for law firms, which have long been targeted by sophisticated cyber adversaries. The global firm DLA Piper was, for example, one of the companies hit by the NotPetya wiper malware. And attacks against firms large and small are on the rise.
Like other organizations, law firms manage huge volumes of sensitive data as a core part of their business. Tools like FTA help manage those data flows. But they also introduce risks, both in the form of attacks on software flaws and inadvertent leaks. For example, another Accellion victim, QIMR Berghofer Medical Research Institute, acknowledged that it had mistakenly left clinical trial data on the Accellion FTA server long after it had been transferred, setting up a breach there after the FTA vulnerabilities were discovered and exploited.
Accellion’s advice for FTA customers is to migrate to a newer product, kiteworks. But law firms need to think holistically about the risk of sophisticated cyber attacks and ransomware. Among other things, they should take stock of software and services they rely on. Sophisticated cyber adversaries are increasingly moving downstream from law firms themselves, compromising legal supply chains. For example, the 2020 ransomware attack on TrialWorks a legal document management firm resulted in trial documents from scores of firms being held hostage by ransomware actors. The 2020 ransomware attack on legal services provider Epiq Global was another designed to put pressure on the victim by inflicting pain on downstream customers.
Assess your Risk
As these incidents indicate: law firms need to level-up their security practices. Some of that comes down to the basics: making sure anti-malware is installed and in use, staying on top of system patching and enforcing strong passwords and multi-factor authentication to secure accounts. But law firms increasingly need to think outside the box. Or better: they need to think like hackers as they assess the risk posture of their hybrid IT and cloud environment.
At QOMPLX, we help law firms large and small contend with sophisticated cyber attacks and assess their risk and exposure. Our Identity Assurance product helps our customers detect the techniques common to all large-scale breaches, including credential forgery and privilege escalation, while our Privilege Assurance technology digs deep into your Active Directory environment, identifying accounts that pose a risk to your organization, and highlighting concentrations of privileges that malicious actors try to exploit.
For attacks like the one on Jones Day, QOMPLX’s Q:SCAN for Supply Chains is a new way for your risk management team to get in front of threats like the one posed by Accellion’s FTA. Q:SCAN for Supply Chains can help you visualize the security of your entire vendor base. It uses open-source intelligence (“OSINT”) collection and analysis techniques to look for high-risk signals that would be valuable and attractive to attackers. It helps leverage that data to improve existing vulnerability scanning and vendor risk management practices your team has implemented.
If you want to learn more about how QOMPLX can help your company spot signs that may signal an Active Directory or authentication compromise, contact our team now.