Hackers are turning up at law firms to gain physical access to machines
The FBI is warning companies to look out for fake IT staff
Hackers posing as IT experts are showing up in person at law firms, the FBI has warned.
In the past, the Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, sent phishing emails purportedly charging small 'subscription fees'. To cancel the fake subscription, the victim was instructed to call the threat actor, who then emailed the victim a link to download remote access software.
Now, though, the group is using phone calls and phishing emails to pose as IT support, gaining access to the victims' computers and exfiltrating data.
And while this is often done through legitimate remote access tools, the group has also been sending individuals in person to the victim company's location to gain physical access to machines.
"This is a pretty natural evolution of extortion operations. We spent years building detections around malware and exploits, and now attackers are shifting toward social engineering, trusted tooling, and physical access," commented Gabrielle Hempel, security operations strategist at Exabeam.
"Physical security fell by the wayside when organizations began to move their data to the cloud, but if your security model assumes that the threat actor is always on the other side of the internet, you have a problem."
The group's first step is to either directly call or send phishing emails urging employees to call 'IT support'. While on the phone, the SRG actor directs the employee to grant access to a remote desktop session.
If that attempt fails, though, SRG sends a threat actor to the victim's location to gain access and insert a storage device into the victim's computer. The hacker tells the victim they need to image the device or create a backup file to address potential impacts from the phishing email.
Once they've got access to the victim's device, they minimally escalate privileges and quickly pivot to data exfiltration without encryption, using Windows Secure Copy ( WinSCP) or a hidden or renamed version of 'Rclone'.
"SRG actors use the exfiltrated victim data to extort the victim by sending a ransom email threatening to sell or post the data online," the FBI said. "SRG actors also call employees or clients of a victim company to pressure the victim to begin ransom negotiations."
While SRG has hit companies in a number of sectors, including the insurance, finance, and healthcare industries, it's consistently been targeting US-based law firms since spring 2023.
"The group is leaning into trust by posing as IT support, walking employees through remote access, then moving quickly to steal data before anyone realizes something is wrong," warned Nick Tausek, lead security automation architect at Swimlane.
"That makes this especially dangerous for law firms. These environments hold sensitive client records, privileged communications, financial details, and case information. If that data is stolen, the damage does not stop at the victim organization. Clients can be pressured, legal strategies can be exposed, and employees can become targets for follow-up scams."
-
UK wants an AI-powered anti-hacking systemNews GCHQ is building a national cyber defence capability powered by AI – though it may take five years
-
British Business Bank commits £50m to deeptech fundNews The investment will support early-stage deep tech companies through the Bank's Enterprise Capital Funds program
-
UK wants an AI-powered anti-hacking system
News GCHQ is building a national cyber defence capability powered by AI – though it may take five years
-
GitHub internal repositories exfiltrated via malicious VS Code extensionNews The breach has been claimed by the TeamPCP hacking group, which said it is offering the data for sale
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businessesNews Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
-
German authorities want your help finding the hackers behind GandCrab and REvilNews Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are believed to have made millions from ransomware as a service schemes
-
Interpol teams up with tech firms to seize 45,000 malicious IPs, servers in global cyber crime crackdownNews Operation Synergia III saw 94 arrests - and counting - with malicious IP addresses used in phishing and fraud schemes seized
-
The rise of teen hackers ‘makes for a good headline’, but cyber crime activities peak later in life
News With family responsibilities and mortgages to pay, it's not teenagers dishing out malware or carrying out cyber extortion
-
Cloudflare warns state-backed hackers are ‘weaponizing legitimate enterprise ecosystems’ as ‘living off the land’ attacks surge
News Chinese, North Korean, and Russian-backed threat groups now favor longer-term compromises over brute force attacks
-
DIY hackers are turning to ‘flat-pack’ malware components to speed up attacks and cut costsNews While these malware campaigns are very basic, researchers noted “they still work”
