Legal and professional services firms face cyber threats from the following threat actors:

• Advanced Persistent Threat (APT)1 groups will likely seek to exploit trusted client relationships and gain access to intellectual property or proprietary information to benefit a government sponsor.

• Enterprise-like cybercriminals will probably attempt to obtain and monetize proprietary client information for their own profit.

• Hacktivists may target law firms and professional services organizations to call attention to a particular cause, or disrupt operations and embarrass the victim if threat actors feel that the organization is involved in a controversial issue or representing a controversial client.

OBSERVED TARGETING We have observed at least 12 advanced threat groups compromise companies in these subsectors

Business Process Outsourcing Professional Services

Consulting Firms Public Relations, Marketing & Advertising Agencies

Legal Services Research Firms

Data Stolen from Legal & Professional Services Organizations

Business Communications Business & Strategic Plans & Goals

Legal Documents Programs & Initiatives

Records of Meeting Public Relations Products

Statements of Work

F I R E E Y E I N D U S T R Y I N T E L L I G E N C E R E P O R T

1 Advanced Persistent Threat (APT) actors are assessed to take direction from a nation state to steal information or conduct network attacks, tenaciously pursue their objectives, and are capable of using a range of tools and tactics.

Subsectors Compromised

CYBER THREATS TO THE LEGAL AND PROFESSIONAL SERVICES INDUSTRIES SECURITY

REIMAGINED

CASE STUDY: APT GROUPS TARGET LAW FIRM INVOLVED IN ENERGY INDUSTRY

We conducted a network investigation for a global law firm that had discovered that its systems had communicated with known malicious IP addresses. Our investigation found that two China-based threat groups had compromised the firm shortly after it had represented legal parties against the Chinese government and China-based businesses in two large financial oil ventures. The threat actors initially gained access through use of a phishing email that contained a malicious link. They were then able to obtain the local administrator account password and access all of the network’s systems, as all of the computers shared the same local administrator password. The threat actors compromised at least 37 systems, obtained credentials for all of the firm’s users, and stole more than 200 MB of email data from at least two systems in the firm’s office in Beijing, China.

F I R E E Y E I N D U S T R Y I N T E L L I G E N C E R E P O R T

THREAT HORIZON AND INDUSTRY OUTLOOKFireEye believes that legal firms and professional services organizations will primarily continue to face threats from actors seeking to steal data. Factors that may influence threat activity against these sectors likely include:

• Involvement in negotiations or legal proceedings surrounding an a major strategic issue: state-sponsored threat actors will likely target such firms for espionage purposes intended to provide the sponsoring government with the ability to monitor legal activity, secure an advantage in negotiations, or otherwise inform its own decision making.

• Access to proprietary client data: financially motivated cybercriminals will probably target legal firms and professional services organizations to gain access to client data – whether financial and account information, or proprietary, market-moving

information. These threat actors will likely seek to monetize such information for their own personal gain.

• Access to high-value clients: threat actors will likely target legal firms and professional services organizations to take advantage of their trusted relationships and gain access to client information, or even clients networks themselves.

Gh0stRATis a remote access tool (RAT) derived from publicly available source code. It can perform screen and audio captures, enable a webcam, list and kill processes, open a command shell, wipe event logs, and create, manipulate, delete, launch, and transfer files.

Kaba(aka SOGU aka PlugX) is a backdoor capable of file upload and download, arbitrary process execution, filesystem and registry access, service configuration access, remote shell access, and implementing a custom VNC/RDP-like protocol to provide the command and control (C2) server with graphical access to the desktop. It provides SQL database-querying capabilities and may communicate using HTTP POSTs or a custom binary protocol.

XtremeRATis a publicly available RAT capable of uploading and downloading files, interacting with the Windows registry, manipulating processes and services, and capturing data such as audio and video.

LV(aka NJRAT) is a publicly available RAT capable of keystroke logging, credential harvesting, reverse shell access, file uploads and downloads, and file and registry modifications. It also offers threat actors a “builder” feature to create new variants.

ChinaChopperis a simple code injection webshell that is capable of executing Microsoft .NET code within HTTP POST commands, and can upload and download files, execute applications with webserver account permissions, list directory contents, access Active Directory, access databases, and undertake any other action allowed by the .NET runtime. Anti-virus software often does not detect ChinaChopper, due to its simplicity and the variability of its contents. Detection therefore relies on analysis of network traffic, or manual detection on the victim computer using regular expressions (regexes).

MALWARE FAMILIESTOP 5

FireEye most frequently detected threat actors using the following targeted malware families to compromise organizations in the legal and professional services sectors:

35% Gh0stRAT25% Kaba17% XtremeRAT13% LV10% ChinaChopper

F I R E E Y E I N D U S T R Y I N T E L L I G E N C E R E P O R T

FireEye, Inc. | 1440 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) | info@fireeye.com | www.fireeye.com

© 2015 FireEye, Inc. All rights reserved. FireEye is a trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.

INTEL.FIN.EN-US.022015

FireEye’s sinkhole and dynamically shared threat data indicate that the following crimeware variants were the most commonly detected in the legal and professional services sectors:

RAMDO is a trojan that sends information about an infected system’s operating system and hardware to its C2 server. It can prevent anti-virus software from properly functioning and engage in click fraud.

RUSSKILL allows threat actors to use infected machines in DDoS attacks against the target of a threat actor’s choosing.

GAMARUE(aka Andromeda bot) is a multipurpose trojan that can be used as a keylogger, form grabber, or a dropper for other malicious software. It contains several anti-debugging and anti-VM capabilities.

ASPROXis a spam botnet that typically uses themes related to airline tickets, postal services, and license keys in order to entice victims to open the emails and download malicious software.

ZEROACCESS(aka Sirefef) is a trojan with advanced rootkit capabilities. Initially developed as a delivery mechanism for other types of malicious software it has been re-architected to perform click fraud.

The malware families that APT groups most frequently used in incidents that we responded to in this sector include:

BANGATis a backdoor capable of key logging, connecting to a driver, creating a connection to a C2 server, capturing mouse movement, gathering system information, creating and killing processes, harvesting passwords, shutting down and logging off systems, and creating and modifying files.

POISON IVYis a publicly available RAT that provides comprehensive remote access capabilities on a compromised system. Its variants are configured, built, and controlled using a graphical Poison Ivy management interface. It can be configured to produce shellcode, which can be packaged into an executable or combined with an existing executable to hide its presence.

LEOUNCIAis a backdoor that is capable of uploading and downloading files, launching executables, running arbitrary shell commands, listing and killing processes, obtaining directory listings, and communicating with a C2 server using HTTP requests.

HOMEUNIX(aka 9002) is primarily a generic launcher for downloaded plug-ins. These plug-ins are stored in a memory buffer, and then loaded and linked manually by the malware. This means that the plug-ins never have to touch disk. However, the malware may also store and save plug-ins. These plug-ins will run after the system is rebooted without the attacker having to send them again to the victim system.

Gh0stRAT(see previous description)

MALWARE IN IR”STOP

44% RAMDO19% RUSSKILL14% GAMARUE13% ASPROX10% ZEROACCESS

CRIMEWARE FAMILIESTOP 5