SlideShare a Scribd company logo

[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Services Industries

FireEye, Inc.
FireEye, Inc.

Get an overview the threat groups targeting the legal and professional services industries, as well as the top 5 malware and crimewave families detected.

Related slideshows

Detection and Response with Splunk+FireEye
Detection and Response with Splunk+FireEyeDetection and Response with Splunk+FireEye
Detection and Response with Splunk+FireEye
 
FireEye
FireEyeFireEye
FireEye
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General Audience
 
1 of 3
Download to read offline
Legal and professional services firms face cyber threats from the following threat actors: • Advanced Persistent Threat (APT)1 groups will likely seek to exploit trusted client relationships and gain access to intellectual property or proprietary information to benefit a government sponsor. • Enterprise-like cybercriminals will probably attempt to obtain and monetize proprietary client information for their own profit. • Hacktivists may target law firms and professional services organizations to call attention to a particular cause, or disrupt operations and embarrass the victim if threat actors feel that the organization is involved in a controversial issue or representing a controversial client. OBSERVED TARGETING We have observed at least 12 advanced threat groups compromise companies in these subsectors Business Process Outsourcing Professional Services Consulting Firms Public Relations, Marketing & Advertising Agencies Legal Services Research Firms Data Stolen from Legal & Professional Services Organizations Business Communications Business & Strategic Plans & Goals Legal Documents Programs & Initiatives Records of Meeting Public Relations Products Statements of Work F I R E E Y E I N D U S T R Y I N T E L L I G E N C E R E P O R T 1 Advanced Persistent Threat (APT) actors are assessed to take direction from a nation state to steal information or conduct network attacks, tenaciously pursue their objectives, and are capable of using a range of tools and tactics. Subsectors Compromised CYBER THREATS TO THE LEGAL AND PROFESSIONAL SERVICES INDUSTRIES SECURITY REIMAGINED
CASE STUDY: APT GROUPS TARGET LAW FIRM INVOLVED IN ENERGY INDUSTRY We conducted a network investigation for a global law firm that had discovered that its systems had communicated with known malicious IP addresses. Our investigation found that two China-based threat groups had compromised the firm shortly after it had represented legal parties against the Chinese government and China-based businesses in two large financial oil ventures. The threat actors initially gained access through use of a phishing email that contained a malicious link. They were then able to obtain the local administrator account password and access all of the network’s systems, as all of the computers shared the same local administrator password. The threat actors compromised at least 37 systems, obtained credentials for all of the firm’s users, and stole more than 200 MB of email data from at least two systems in the firm’s office in Beijing, China. F I R E E Y E I N D U S T R Y I N T E L L I G E N C E R E P O R T THREAT HORIZON AND INDUSTRY OUTLOOK FireEye believes that legal firms and professional services organizations will primarily continue to face threats from actors seeking to steal data. Factors that may influence threat activity against these sectors likely include: • Involvement in negotiations or legal proceedings surrounding an a major strategic issue: state- sponsored threat actors will likely target such firms for espionage purposes intended to provide the sponsoring government with the ability to monitor legal activity, secure an advantage in negotiations, or otherwise inform its own decision making. • Access to proprietary client data: financially motivated cybercriminals will probably target legal firms and professional services organizations to gain access to client data – whether financial and account information, or proprietary, market-moving information. These threat actors will likely seek to monetize such information for their own personal gain. • Access to high-value clients: threat actors will likely target legal firms and professional services organizations to take advantage of their trusted relationships and gain access to client information, or even clients networks themselves. Gh0stRAT is a remote access tool (RAT) derived from publicly available source code. It can perform screen and audio captures, enable a webcam, list and kill processes, open a command shell, wipe event logs, and create, manipulate, delete, launch, and transfer files. Kaba (aka SOGU aka PlugX) is a backdoor capable of file upload and download, arbitrary process execution, filesystem and registry access, service configuration access, remote shell access, and implementing a custom VNC/RDP-like protocol to provide the command and control (C2) server with graphical access to the desktop. It provides SQL database-querying capabilities and may communicate using HTTP POSTs or a custom binary protocol. XtremeRAT is a publicly available RAT capable of uploading and downloading files, interacting with the Windows registry, manipulating processes and services, and capturing data such as audio and video. LV (aka NJRAT) is a publicly available RAT capable of keystroke logging, credential harvesting, reverse shell access, file uploads and downloads, and file and registry modifications. It also offers threat actors a “builder” feature to create new variants. ChinaChopper is a simple code injection webshell that is capable of executing Microsoft .NET code within HTTP POST commands, and can upload and download files, execute applications with webserver account permissions, list directory contents, access Active Directory, access databases, and undertake any other action allowed by the .NET runtime. Anti-virus software often does not detect ChinaChopper, due to its simplicity and the variability of its contents. Detection therefore relies on analysis of network traffic, or manual detection on the victim computer using regular expressions (regexes). MALWARE FAMILIES TOP5 FireEye most frequently detected threat actors using the following targeted malware families to compromise organizations in the legal and professional services sectors: 35% Gh0stRAT 25% Kaba 17% XtremeRAT 13% LV 10% ChinaChopper
F I R E E Y E I N D U S T R Y I N T E L L I G E N C E R E P O R T FireEye, Inc. | 1440 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) | info@fireeye.com | www.fireeye.com © 2015 FireEye, Inc. All rights reserved. FireEye is a trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. INTEL.FIN.EN-US.022015 FireEye’s sinkhole and dynamically shared threat data indicate that the following crimeware variants were the most commonly detected in the legal and professional services sectors: RAMDO is a trojan that sends information about an infected system’s operating system and hardware to its C2 server. It can prevent anti-virus software from properly functioning and engage in click fraud. RUSSKILL allows threat actors to use infected machines in DDoS attacks against the target of a threat actor’s choosing. GAMARUE (aka Andromeda bot) is a multipurpose trojan that can be used as a keylogger, form grabber, or a dropper for other malicious software. It contains several anti-debugging and anti-VM capabilities. ASPROX is a spam botnet that typically uses themes related to airline tickets, postal services, and license keys in order to entice victims to open the emails and download malicious software. ZEROACCESS (aka Sirefef) is a trojan with advanced rootkit capabilities. Initially developed as a delivery mechanism for other types of malicious software it has been re- architected to perform click fraud. The malware families that APT groups most frequently used in incidents that we responded to in this sector include: BANGAT is a backdoor capable of key logging, connecting to a driver, creating a connection to a C2 server, capturing mouse movement, gathering system information, creating and killing processes, harvesting passwords, shutting down and logging off systems, and creating and modifying files. POISON IVY is a publicly available RAT that provides comprehensive remote access capabilities on a compromised system. Its variants are configured, built, and controlled using a graphical Poison Ivy management interface. It can be configured to produce shellcode, which can be packaged into an executable or combined with an existing executable to hide its presence. LEOUNCIA is a backdoor that is capable of uploading and downloading files, launching executables, running arbitrary shell commands, listing and killing processes, obtaining directory listings, and communicating with a C2 server using HTTP requests. HOMEUNIX (aka 9002) is primarily a generic launcher for downloaded plug-ins. These plug- ins are stored in a memory buffer, and then loaded and linked manually by the malware. This means that the plug-ins never have to touch disk. However, the malware may also store and save plug-ins. These plug-ins will run after the system is rebooted without the attacker having to send them again to the victim system. Gh0stRAT (see previous description) MALWARE IN IR”S TOP44% RAMDO 19% RUSSKILL 14% GAMARUE 13% ASPROX 10% ZEROACCESS CRIMEWARE FAMILIES TOP5

More Related Content

[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Services Industries

  • 1. Legal and professional services firms face cyber threats from the following threat actors: • Advanced Persistent Threat (APT)1 groups will likely seek to exploit trusted client relationships and gain access to intellectual property or proprietary information to benefit a government sponsor. • Enterprise-like cybercriminals will probably attempt to obtain and monetize proprietary client information for their own profit. • Hacktivists may target law firms and professional services organizations to call attention to a particular cause, or disrupt operations and embarrass the victim if threat actors feel that the organization is involved in a controversial issue or representing a controversial client. OBSERVED TARGETING We have observed at least 12 advanced threat groups compromise companies in these subsectors Business Process Outsourcing Professional Services Consulting Firms Public Relations, Marketing & Advertising Agencies Legal Services Research Firms Data Stolen from Legal & Professional Services Organizations Business Communications Business & Strategic Plans & Goals Legal Documents Programs & Initiatives Records of Meeting Public Relations Products Statements of Work F I R E E Y E I N D U S T R Y I N T E L L I G E N C E R E P O R T 1 Advanced Persistent Threat (APT) actors are assessed to take direction from a nation state to steal information or conduct network attacks, tenaciously pursue their objectives, and are capable of using a range of tools and tactics. Subsectors Compromised CYBER THREATS TO THE LEGAL AND PROFESSIONAL SERVICES INDUSTRIES SECURITY REIMAGINED
  • 2. CASE STUDY: APT GROUPS TARGET LAW FIRM INVOLVED IN ENERGY INDUSTRY We conducted a network investigation for a global law firm that had discovered that its systems had communicated with known malicious IP addresses. Our investigation found that two China-based threat groups had compromised the firm shortly after it had represented legal parties against the Chinese government and China-based businesses in two large financial oil ventures. The threat actors initially gained access through use of a phishing email that contained a malicious link. They were then able to obtain the local administrator account password and access all of the network’s systems, as all of the computers shared the same local administrator password. The threat actors compromised at least 37 systems, obtained credentials for all of the firm’s users, and stole more than 200 MB of email data from at least two systems in the firm’s office in Beijing, China. F I R E E Y E I N D U S T R Y I N T E L L I G E N C E R E P O R T THREAT HORIZON AND INDUSTRY OUTLOOK FireEye believes that legal firms and professional services organizations will primarily continue to face threats from actors seeking to steal data. Factors that may influence threat activity against these sectors likely include: • Involvement in negotiations or legal proceedings surrounding an a major strategic issue: state- sponsored threat actors will likely target such firms for espionage purposes intended to provide the sponsoring government with the ability to monitor legal activity, secure an advantage in negotiations, or otherwise inform its own decision making. • Access to proprietary client data: financially motivated cybercriminals will probably target legal firms and professional services organizations to gain access to client data – whether financial and account information, or proprietary, market-moving information. These threat actors will likely seek to monetize such information for their own personal gain. • Access to high-value clients: threat actors will likely target legal firms and professional services organizations to take advantage of their trusted relationships and gain access to client information, or even clients networks themselves. Gh0stRAT is a remote access tool (RAT) derived from publicly available source code. It can perform screen and audio captures, enable a webcam, list and kill processes, open a command shell, wipe event logs, and create, manipulate, delete, launch, and transfer files. Kaba (aka SOGU aka PlugX) is a backdoor capable of file upload and download, arbitrary process execution, filesystem and registry access, service configuration access, remote shell access, and implementing a custom VNC/RDP-like protocol to provide the command and control (C2) server with graphical access to the desktop. It provides SQL database-querying capabilities and may communicate using HTTP POSTs or a custom binary protocol. XtremeRAT is a publicly available RAT capable of uploading and downloading files, interacting with the Windows registry, manipulating processes and services, and capturing data such as audio and video. LV (aka NJRAT) is a publicly available RAT capable of keystroke logging, credential harvesting, reverse shell access, file uploads and downloads, and file and registry modifications. It also offers threat actors a “builder” feature to create new variants. ChinaChopper is a simple code injection webshell that is capable of executing Microsoft .NET code within HTTP POST commands, and can upload and download files, execute applications with webserver account permissions, list directory contents, access Active Directory, access databases, and undertake any other action allowed by the .NET runtime. Anti-virus software often does not detect ChinaChopper, due to its simplicity and the variability of its contents. Detection therefore relies on analysis of network traffic, or manual detection on the victim computer using regular expressions (regexes). MALWARE FAMILIES TOP5 FireEye most frequently detected threat actors using the following targeted malware families to compromise organizations in the legal and professional services sectors: 35% Gh0stRAT 25% Kaba 17% XtremeRAT 13% LV 10% ChinaChopper
  • 3. F I R E E Y E I N D U S T R Y I N T E L L I G E N C E R E P O R T FireEye, Inc. | 1440 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) | info@fireeye.com | www.fireeye.com © 2015 FireEye, Inc. All rights reserved. FireEye is a trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. INTEL.FIN.EN-US.022015 FireEye’s sinkhole and dynamically shared threat data indicate that the following crimeware variants were the most commonly detected in the legal and professional services sectors: RAMDO is a trojan that sends information about an infected system’s operating system and hardware to its C2 server. It can prevent anti-virus software from properly functioning and engage in click fraud. RUSSKILL allows threat actors to use infected machines in DDoS attacks against the target of a threat actor’s choosing. GAMARUE (aka Andromeda bot) is a multipurpose trojan that can be used as a keylogger, form grabber, or a dropper for other malicious software. It contains several anti-debugging and anti-VM capabilities. ASPROX is a spam botnet that typically uses themes related to airline tickets, postal services, and license keys in order to entice victims to open the emails and download malicious software. ZEROACCESS (aka Sirefef) is a trojan with advanced rootkit capabilities. Initially developed as a delivery mechanism for other types of malicious software it has been re- architected to perform click fraud. The malware families that APT groups most frequently used in incidents that we responded to in this sector include: BANGAT is a backdoor capable of key logging, connecting to a driver, creating a connection to a C2 server, capturing mouse movement, gathering system information, creating and killing processes, harvesting passwords, shutting down and logging off systems, and creating and modifying files. POISON IVY is a publicly available RAT that provides comprehensive remote access capabilities on a compromised system. Its variants are configured, built, and controlled using a graphical Poison Ivy management interface. It can be configured to produce shellcode, which can be packaged into an executable or combined with an existing executable to hide its presence. LEOUNCIA is a backdoor that is capable of uploading and downloading files, launching executables, running arbitrary shell commands, listing and killing processes, obtaining directory listings, and communicating with a C2 server using HTTP requests. HOMEUNIX (aka 9002) is primarily a generic launcher for downloaded plug-ins. These plug- ins are stored in a memory buffer, and then loaded and linked manually by the malware. This means that the plug-ins never have to touch disk. However, the malware may also store and save plug-ins. These plug-ins will run after the system is rebooted without the attacker having to send them again to the victim system. Gh0stRAT (see previous description) MALWARE IN IR”S TOP44% RAMDO 19% RUSSKILL 14% GAMARUE 13% ASPROX 10% ZEROACCESS CRIMEWARE FAMILIES TOP5