Client Alert: Cyber attacks on Australian professional services firms
Professional service firms have continued to be an attractive target for cyber criminals over the first quarter of 2021. In particular, Marsh and Clyde & Co Lawyers have seen an increasing prevalence of cyber-attacks on law firms over the past 3 months.
This alert is intended to raise awareness within professional services firms of the ongoing threat given the increasing focus of cyber criminals on this sector and the need for heightened security to respond to this.
In particular we have seen an increasing prevalence of the following types of incidents:
- Business email compromise incidents (stemming from phishing attacks); and
- Microsoft zero-day exchange server vulnerability exploitation.
Notification of email phishing scams targeting professional services firms
There has been an increase in phishing attacks targeting professional service firms in Australia. One key method of attack is email scams circulating which use compromised Dropbox accounts to send emails containing phishing links.
While common, scams that are initiated from compromised file sharing accounts like Dropbox are particularly dangerous, for a number of reasons:
- The emails are sent from a legitimate account (or what appears to be a legitimate account), so they are not likely to be blocked by email security services,
- The recipients are more receptive to the emails because they are from a legitimate account, especially where the sender is known to them, and
- Because they may deliver a malicious payload, and may direct users to external phishing pages to harvest credentials.
Cybercriminals frequently exploit the branding of global companies like Dropbox in their scams because their good reputation lulls victims into a false sense of security and, with such a large number of users, they are an easy and attractive target. Since the Dropbox service requires users to click a link to view, edit or download files, they are a convenient trojan horse for malicious attacks.
We highly recommend warning staff to apply an extra level of caution to emails purporting to have been sent using Dropbox and other file sharing services. As always, where suspicious emails are received by staff, or staff are unsure of an email’s authenticity, staff should contact their IT support desk for advice.
In the event that a staff member has already clicked on a hyperlink, entered their login details or downloaded any document, they should immediately notify their IT service desk and change the password to their email account and any other accounts that share the same username (email address) and/or password.
To obtain further guidance and support, firms can access the incident response services available through their cyber insurance policy.
Microsoft zero-day exchange server vulnerabilities and additional security updates (updated April 2021)
Clyde & Co have advised us of a number of incidents where professional service firms have been impacted by the recently exposed Microsoft Exchange Server vulnerabilities. In early March, Microsoft released emergency security updates to patch four security vulnerabilities in its Exchange Servers, after it was found that hackers were actively using the vulnerabilities to intercept email communications – see our previous alert on this issue here.
On Wednesday April 14th, Microsoft released another set of security updates to address additional newly-discovered vulnerabilities impacting on-premises Microsoft Exchange Servers. Although, at present, we do not believe there are any exploits of this newly discovered vulnerability, given the amount of threat actor interest in the March vulnerabilities, it is likely that working exploits will emerge in the days ahead.
Whilst the extent of the intrusion from these incidents varies on a case-by-case basis, many incidents have seen the threat actor gain access to administrator privileges, complicating containment and remediation efforts. Microsoft has also observed instances where threat actors have planted ‘web shells’ to obtain persistent access to compromised Exchange Servers. Web shell malware allows threat actors to access networks remotely and execute various commands, exfiltrate data and install further malware to extend their unauthorised access to the network. Malicious web shells can be difficult to detect because threat actors often use encryption methods to hide their actions.
The continued discovery of these vulnerabilities further reinforces the importance of regular security updates and the need to include an effective patch management program as part of firms’ broader cyber security strategies.
To address this ongoing issue, we recommend that professional service firms (and their IT teams):
- As a first step, review the Australian Cyber Security Centre Guidance which provides more information about the known vulnerabilities and their patches. The ACSC guidance also provides links to Microsoft guidance on the issue and mitigation tools. Installation of the recommended patches can address the vulnerabilities that expose businesses to the risks posed by these breaches. It should be stressed that this step is preventative rather than responsive and will not address an existing compromise.
- Undertake the detection steps outlined by Microsoft to assess whether and to what extent your network may have been compromised as a result of the Exchange vulnerabilities.
- If necessary, initiate your incident response processes and urgently review privacy obligations that may arise from the incident.
- Contact their cyber-insurers to obtain assistance from expert vendors to assist response capabilities.
This article contains general information which does not take into account your individual objectives, financial situation or needs and may not suit your personal circumstances. Any advice is general in nature only and should not be construed as legal advice. LCPA 21/076