Brief #7: Cyber Threats Target Law Firms, Ports, and More

Mandos Brief, Week 27 2023: Latest cybersecurity threats hitting law firms, ports, and the implications of France's new surveillance law, rising TrueBot malware

5 min read
mandos brief #7 - week 27 2023


Massive Cybersecurity Breach Hits Top US Law Firms

The recent cybersecurity breach that hit three of the largest US law firms underscores the growing threat of cyberattacks on the legal sector. The firms were targeted as part of a broader global data theft operation by the ransomware group Clop, also known as TA505.

The breach was facilitated by a vulnerability in the MoveIT software, a tool used by these firms for file transfers. This highlights the critical importance of regularly updating and patching software to address potential security vulnerabilities.

The timing of the attack, during the Memorial Day weekend, is a signature move of the Clop group, demonstrating their strategic approach to launching attacks when security monitoring may be reduced.

The scale of this breach, potentially impacting over 16 million individuals, underscores the severe consequences of such cyberattacks. It serves as a stark reminder for law firms and other organizations to prioritize cybersecurity, given the sensitive nature of the data they handle.

The incident also raises questions about the role of ransomware negotiation teams and the ethics of paying ransom demands. With the Clop group known to demand millions in extortion fees, the debate around the best strategies to respond to such attacks continues.

Ransomware Attack Paralyzes Japan's Largest Port

The ransomware attack on the Port of Nagoya, Japan's busiest shipping port, underscores the growing threat of cyberattacks on critical infrastructure. The attack, which is suspected to have originated from Russian hackers, caused a significant disruption in cargo operations, highlighting the potential economic impact of such incidents.

The ransomware used in the attack is believed to be LockBit, a type of malware associated with Russian-speaking hackers. This malware encrypts data on the victim's systems, rendering them inaccessible until a ransom is paid. The attack on the Port of Nagoya marks the first time a Japanese port has been targeted in this manner, raising concerns about the vulnerability of the country's critical infrastructure to cyber threats.

Cisco's Unpatched Flaw: A Crack in Cloud Encryption

The vulnerability, tracked as CVE-2023-20185, affects the Application Centric Infrastructure (ACI) Multisite CloudSec encryption on Cisco Nexus 9000 series fabric switches.

This flaw allows threat actors to read and modify encrypted traffic, posing a significant risk to data confidentiality and integrity. An attacker with an on-path position between the ACI sites could exploit this vulnerability by intercepting intersite encrypted traffic and using cryptanalytic techniques to break the encryption.

What makes this situation more concerning is that there are currently no patches available for this vulnerability. Cisco has advised customers using the affected switches to disable the CloudSec encryption feature and to contact their support organization to evaluate alternative options.

Rising TrueBot Malware Attacks: A Cybersecurity Alarm

The TrueBot malware, linked with cybercriminal collectives Silence and FIN11, has evolved to pose a significant threat to cybersecurity. The malware targets companies in the US and Canada, exploiting a critical vulnerability (CVE-2022-31199) in the widely used Netwrix Auditor server. Once the vulnerability is exploited, TrueBot and the FlawedGrace remote access trojan (RAT) are installed to escalate privileges, establish persistence, and conduct additional operations.

The shift in delivery vector, from primarily malicious email attachments to exploiting the CVE-2022-31199 vulnerability, allows cyber threat actors to carry out attacks on a broader scale within infiltrated environments. This strategic shift underscores the evolving nature of cyber threats and the need for continuous vigilance and robust security measures.

The US government and other cybersecurity agencies have issued advisories and recommended mitigations, including applying patches to the Netwrix Auditor remote code execution flaw. Organizations are urged to implement these measures to reduce the likelihood and impact of TrueBot activity and other ransomware-related incidents.

French Surveillance Law: A New Era of Digital Policing

The newly passed French law marks a significant shift in the landscape of digital surveillance. It allows police to remotely access cameras, microphones, and GPS on suspects' devices, including phones, laptops, and cars. This law applies to suspects involved in crimes punishable by a minimum of five years in jail, and it requires judge approval for any surveillance, limiting the duration to six months.

However, critics argue that this law effectively transforms personal digital tools into police auxiliaries, raising serious privacy concerns. The law comes amidst ongoing protests in France, further fueling concerns about its potential misuse.

Share This Post

Check out these related posts

Brief #51: VPN Decloaking Attack, Azure Health Bot Vulnerabilities, CISO Dissatisfaction, and Incident Response Challenges

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 8 min read

Brief #50: Postman API Credential Leaks, DHS AI Threat Guidelines, Effective Risk Communication, Cybersecurity Analyst Insights

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 8 min read

Brief #49: Palo Alto XDR Exploit, GPT-4 Vulnerability Exploitation, CISO Insights, and Top Cybersecurity Courses

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 7 min read