Jono Soo
Head of Cyber Specialty, New Zealand
Professional service firms have continued to be an attractive target for cyber criminals over the first quarter of 2021. In particular, Marsh and Clyde & Co Lawyers have seen an increasing prevalence of cyber-attacks on law firms over the past 3 months.
This alert is intended to raise awareness within professional services firms of the ongoing threat given the increasing focus of cyber criminals on this sector and the need for heightened security to respond to this.
In particular we have seen an increasing prevalence of the following types of incidents:
There has been an increase in phishing attacks targeting professional service firms in Australia and New Zealand. One key method of attack is email scams circulating which use compromised Dropbox accounts to send emails containing phishing links.
While common, scams that are initiated from compromised file sharing accounts like Dropbox are particularly dangerous, for a number of reasons:
Cybercriminals frequently exploit the branding of global companies like Dropbox in their scams because their good reputation lulls victims into a false sense of security and, with such a large number of users, they are an easy and attractive target. Since the Dropbox service requires users to click a link to view, edit or download files, they are a convenient trojan horse for malicious attacks.
We highly recommend warning staff to apply an extra level of caution to emails purporting to have been sent using Dropbox and other file sharing services. As always, where suspicious emails are received by staff, or staff are unsure of an email’s authenticity, staff should contact their IT support desk for advice.
In the event that a staff member has already clicked on a hyperlink, entered their login details or downloaded any document, they should immediately notify their IT service desk and change the password to their email account and any other accounts that share the same username (email address) and/or password.
To obtain further guidance and support, firms can access the incident response services available through their cyber insurance policy.
Clyde & Co have advised us of a number of incidents where professional service firms have been impacted by the recently exposed Microsoft Exchange Server vulnerabilities. In early March, Microsoft released emergency security updates to patch four security vulnerabilities in its Exchange Servers, after it was found that hackers were actively using the vulnerabilities to intercept email communications – see our previous alert on this issue here.
On Wednesday April 14th, Microsoft released another set of security updates to address additional newly-discovered vulnerabilities impacting on-premises Microsoft Exchange Servers. Although, at present, we do not believe there are any exploits of this newly discovered vulnerability, given the amount of threat actor interest in the March vulnerabilities, it is likely that working exploits will emerge in the days ahead.
Whilst the extent of the intrusion from these incidents varies on a case-by-case basis, many incidents have seen the threat actor gain access to administrator privileges, complicating containment and remediation efforts. Microsoft has also observed instances where threat actors have planted ‘web shells’ to obtain persistent access to compromised Exchange Servers. Web shell malware allows threat actors to access networks remotely and execute various commands, exfiltrate data and install further malware to extend their unauthorised access to the network. Malicious web shells can be difficult to detect because threat actors often use encryption methods to hide their actions.
The continued discovery of these vulnerabilities further reinforces the importance of regular security updates and the need to include an effective patch management program as part of firms’ broader cyber security strategies.
To address this ongoing issue, we recommend that professional service firms (and their IT teams):
This article contains general information which does not take into account your individual objectives, financial situation or needs and may not suit your personal circumstances. Any advice is general in nature only and should not be construed as legal advice. LCPA 21/076
Head of Cyber Specialty, New Zealand