WASHINGTON — Data theft extortion groups are increasingly targeting professional services firms, including legal and financial services organizations, by impersonating information technology support personnel and convincing employees to grant remote access to corporate systems, according to a new threat intelligence report from Mandiant and Google Threat Intelligence Group.
The report warned that a cybercriminal group tracked as UNC3753, also known as Luna Moth, Chatty Spider and Silent Ransom Group, has conducted a broad campaign against dozens of organizations in the United States. Rather than deploying traditional ransomware, the group focuses on stealing sensitive data and then demanding payment to prevent its release.
According to Mandiant and Google Threat Intelligence Group, the attackers rely heavily on voice phishing, or “vishing,” and social engineering techniques. In many cases, employees receive emails directing them to contact what appears to be a company help desk. When employees call, the attackers pose as IT support staff and persuade victims to install remote-access software or provide credentials that allow the criminals to enter corporate networks.
FIs Among Top Clients
The researchers said professional services firms, law firms and financial services organizations have become attractive targets because they often hold large volumes of confidential client information, financial records, legal documents and other sensitive data that can be used for extortion.
Once inside a network, the attackers seek to identify and exfiltrate valuable information before contacting victims with extortion demands. The threat actors typically threaten to publish or sell the stolen information if payment is not made.
For banks, credit unions, mortgage lenders and other financial institutions, Mandiant and Google recommended several defensive measures.
Key Recommendations
Among the key recommendations:
- Train employees to recognize voice-phishing and social engineering attempts, particularly unsolicited communications involving technical support requests.
- Establish clear procedures for validating help-desk communications and IT support requests.
- Restrict the installation and use of remote-management and remote-access software to authorized personnel.
- Require multifactor authentication across critical systems and remote-access tools.
- Closely monitor network activity and access logs for unusual behavior, including unauthorized remote-access sessions.
- Limit user privileges and apply the principle of least privilege to reduce the impact of compromised accounts.
- Maintain robust incident-response and data-protection programs to help detect and contain intrusions before sensitive information can be exfiltrated.
A Broader Shift
he report highlights a broader shift among cybercriminal groups away from encryption-based ransomware attacks and toward data theft and extortion schemes that depend on social engineering and credential compromise rather than malware deployment. According to the researchers, the approach can be more difficult for organizations to detect because attackers often use legitimate tools and authorized user accounts after gaining access.
Mandiant and Google Threat Intelligence Group said organizations in the legal, professional and financial sectors should assume they remain high-priority targets and strengthen employee awareness programs and identity-security controls accordingly.
