Targeted cyber attacks on Aus legal sector in Q3 likely launched by organised criminal groups

by |

The targeted cyber attacks aimed at the Australian legal sector in the third quarter were likely the work of organised criminal groups.

The insight came from cyber security services provider Mimecast in its “Threat Intelligence Report: Risk and Resilience Insights” analysis for the latest full quarter, which found that the legal industry in Australia was attacked twice in July and once in September.

It said that nearly all of the attacks that targeted the legal industry in Australia used “generic trojanized ISO files,” or simply files that are malicious but are disguised to look legitimate, using three known malware families called “Andromeda,” “Noon,” and “Razy.” “Andromeda” and “Noon” are mainly described as spyware, which is software that snoops on and steals information from infected machines.

Attackers also used publicly known information-security vulnerabilities classified as “CVE-2017-8750” and “CVE-2017-11882,” Mimecast said. Both of the exploits can remotely run code through vulnerabilities in Microsoft Office software, which can lead to attackers being able to take actions on behalf of the logged-on user, or even gain control of the compromised system in certain scenarios.

“The legal sector attacks are highly likely to have been organised criminal groups attempting to compromise their intended targets for monetary gain, given the access to significant funds which the sector is perceived to have,” Mimecast said. “The legal sector also has access to highly sensitive, valuable client information.”

The company said, however, that none of the targeted cyber attacks lasted for more than a day and that attack vectors used “did not appear to significantly vary or evolve in terms of their complexity.”

Global trends

Mimecast pointed out four patterns that emerged after it analysed data from July to September from all regions.

It said that the overwhelming majority of attacks remain less sophisticated, volume forms of attack. However, more complex attacks took place for periods of several days. These reflect the increasing access to online tools and kits that enable the launching of cyberattacks, as well as attackers taking advantage of human errors. “Even the simplest attacks can be successful,” it said, adding that more potent forms of malware and ransomware are used when attacks progress to later stages.

Mimecast also found that file compression is an attack format of choice, since it allows more complex payloads that can include multiple malwares, all while providing a basic way to hide true file names in the container. According to the study’s data, ZIP files far outnumbered detected attacks in the quarter, reflecting an ongoing trend this year.

It also said that specific sectors are repeatedly targeted. The top sector globally for attack based on targeting is transportation, followed by storage and delivery, banking, and the legal sector. It said that the banking sector has been the subject of the highest volume of attacks, with five campaigns identified by the report aimed at the sector in Australia and South Africa.

Mimecast also said that impersonation attacks are increasing and now including a range of voice messaging and less coercive communication. These attacks present as more nuanced and persuasive, it said.