When ‘Watering Hole’ Attacks Gained Sophistication - Legal Firms Took the Bait
Cyber extortion is undeniably the fastest growing crime in the world, with a ransomware victim every 10 seconds in 2020, and a 900% rise in attacks in 2021 when compared with 2020.
However, the concern lies not just in the escalating frequency, but in the markedly developed - and continually developing, sophistication of the attacks.
The cyber threat landscape has advanced immensely since the days when hackers acted alone or in small groups. Cybercrime has become an industry - big business, working from home, and out of dedicated call centres with assigned roles, access brokers, partner networks, resellers, and vendors. Attacks are more carefully planned, powered by slick processes such as Ransomware-as-a-Service, with breached or stolen data being re-packaged and then sold on the dark web. Organised crime has moved on from drugs and arms to cybercrime, as criminal gangs saw an opportunity for gain that posed very little risk. Operating out of countries all over the world, cybercriminals are conducting their business with impunity as authorities lack the jurisdiction to bring them to justice.
Offering enticing financial rewards, legal firms are valuable targets to threat actors who seek to intercept and divert client funds, extort data, and make ransom demands. Attacks to the sector have become impressively intelligent, involving a great deal of research and planning, backed by the knowledge that these efforts are more likely to yield a handsome profit. To give this some perspective; the UK Solicitors Regulation Authority revealed a 300% increase in phishing scams in the first two months of lockdown alone. This is more than three times the amount reported during the same timeframe in 2019.
Research in 2020 indicated a 358% increase in Malware, and with the average lifetime of a breach lasting 314 days, there’s plenty of time for threat actors to inject malicious code and operate under the radar without the victims’ knowledge. This is precisely what happened in a case we recently investigated, however, the level of knowledge used to conduct the attack was remarkable in sophistication.
So as to raise the alarm and offer warning to the legal sector, this article will walk through the intricacies of the case and the growth – yet again, in the level of exertion we are seeing from cybercriminals.
The case (anonymous)
Access Brokers - tempted by the potential of financial gain - targeted legal firms, engineering the success of their attack by developing a list of legal search terms, looking specifically for those with the fewest (non-paywalled) results.
After pinpointing the perfect ‘niche’ term, and by using the traditional mechanism of hits and relevance, they were able to ensure the website they compromised would feature at the top of search engine results. In fact, they were able to successfully rank the compromised website at the top 4 of every search engine. This malicious SEO technique has been dubbed ‘Gootloader’ and uses the ‘Gootkit’ Remote Access Trojan (RAT) to deliver malicious software to the compromised device, according to the needs of the attacker.
They then began a search for vulnerable, outdated WordPress sites with names that could be mistaken for a legal firm. We now understand that the threat actors have a central server that delivers malicious content and payloads through compromised WordPress sites. They discovered a little-used hobbyist website and inserted new pages to make the content more plausible, by lifting content from bona fide legal websites with the addition of a fake forum. Here, they posed as other legal professionals, answering questions in relation to the earlier chosen search term. Within the forum, the hackers buried a document containing malicious code.
There were multiple victims of this attack, each one a legal professional whose systems were compromised as payload.exe malware, embedded in an excel spreadsheet was downloaded. Once executed, the victims were connected to a malicious site where Gootkit banking trojan malware was downloaded, and a file-less attack orchestrated by Cobalt Strike took over the victim’s computer. A user-specific environment was created using hundreds of random characters dumped into the Windows registry where traditional anti-malware detection methods can be evaded. This is known as LOL Bins (Living Off the Land Binaries) and means that no new malware or software will need to be downloaded as it uses what’s already present on the system, reducing the chance of being detected by anti-malware software.
The attackers then gained the ability to run PowerShell commands including password stealing programs and download tools which they used to scan and perform lateral movement within the network. They then compromised other systems obtaining elevated privileges, exfiltrating software and finally ransomware, to encrypt the network.
Gootloader is being used in an extensive drive-by and watering-hole cyber campaign that targets WordPress sites by injecting fake content. The malicious actors are still ongoing and have now cast their net to seek out financial, military, automotive, pharmaceutical, mining, gaming, government, and energy sectors. The campaign not only delivers Gootkit malware, but REvil ransomware, and other malware including Kronos, BlueCrab, and Cobalt Strike Beacons.
What can Legal Firms do?
Watering Hole attacks like this are classically aimed at the Legal, Finance, and Defence industries and can be orchestrated by Access Brokers who gain the initial access and then sell it on, charging around $1,500.
It should also be noted that there are some criminal organisations that can both gain access and perform the attack without the assistance of access brokers. Exploits such as these where malware is downloaded and executed, run the risk of leading to a ransomware attack (amongst others) and often a double extortion attack. By encrypting an organisations network, and threatening to steal and release data, cybercriminals attempt to extort more from businesses who fear embarrassment and possible litigation.
Due to the sheer volume of client money and confidential information held by law firms, the risk of being targeted by cybercriminals is very real. The information they hold on their clients and their corporate client employees would put them in very real danger of litigation should any of the PII fall into the wrong hands. And we already know that their clients are exactly the type of people to sue if their data is leaked. Data breaches can result in fines of up to 10% of a firm’s global earnings, and given the sensitivity of some case data, it’s imperative that law firms have scrupulous security and privacy controls in place.
One of the main ways to combat this type of attack is using a web security product that can block old Word Press sites and uncategorised or suspicious websites. Consideration should be given to educating users in asserting caution: to visit only recognised, trustworthy websites and never download unknown content.
In addition, a new service was rolled out this month offering an easily implemented control that legal firms can access to strengthen their external facing systems. STORM’s CyberProfiler is effectively an Attackers Eye View™ scan, which enables you to see, and understand your online presence through the eyes of a cybercriminal. The assessment evaluates a range of key areas an attacker will be looking to exploit: Poorly configured networks, outdated services, user accounts, registered domains third-party links, budgetary spend and more. A dedicated team of experts combine both automatic and manual investigation and scanning and will discuss the findings and consult on remediation.
Regularly reviewing your internet-facing systems actively prevents criminals from impersonating your business and carrying out Gootloader malware attacks such as the example discussed in this article.
If you would like to discuss any of the issues addressed in this article or would like to find out more about STORM’s services, you can reach us at: firstname.lastname@example.org
Alternatively, you can use our website form here: