Sourcing note: This thought piece is based on research conducted by Aon’s Intelligence Group using subscription threat intelligence databases that monitor the dark web and invite-only hacker forums.
Dark web auctions that sell backdoor access to law firm servers have perhaps become the most unconventional threat to the sacred attorney-client privilege. For less than $10,000, a bad actor can often purchase rights on the dark web to explore files on a hacked firm’s network that may include internal memorandums, client e-mails, and other confidential work products.[1] More importantly, these attacks can impact anyone, from small private practices to well known firms led by top rated attorneys. To further complicate this threat landscape, the commonplace existence on the dark web of compromised usernames and passwords belonging to law firm employees remains an issue that requires regular monitoring in order to avoid a potential catastrophe. As a result, when examining the threats facing the legal industry, maintaining awareness of a firm’s dark web presence should be on every managing partner’s priority list.
By exploiting weak security practices, hackers on dark web forums regularly maintain and advertise unauthorized access to unwitting organizations. For a fee, normally paid in bitcoin, fellow members of the forum can take advantage of the discovery and surreptitiously exfiltrate the contents of anything on the network, from sensitive client data to keystrokes from employee PCs. This data can ultimately be leveraged for a range of reasons including fraud, hacktivism, and even espionage by nation-states. Unfortunately, law firms have not been exempt from this black market industry, and bona fides posted openly on forums have included such items as retainer letters and screen shots of client lists. Victims discussed in forums have included both American and European firms, and research was unable to determine how long it took for those firms to discover the incident or whether clients were ever notified of a breach. In many instances where a bad actor is unable to obtain their asking price in auctions, they may alternatively monetize their access by attacking their victim with ransomware or blackmailing them with stolen data.
Another area of concern is the commonplace existence of compromised credentials on the deep and dark web that can be leveraged by bad actors to potentially access law firm networks. Cursory deep and dark web searches performed by Aon in March 2020 revealed tens of thousands of usernames and passwords belonging to attorneys of leading global firms whose credentials were compromised in third party security breaches. In other words, an associate at XYZ law firm may have used their work e-mail to register at a digital music service or social media site that later suffered a data breach. Included in the breach was the associate’s corporate e-mail address and password, which may be similar or identical to the password they use to access their corporate network. Armed with these compromised credentials, a bad actor may launch login attacks against the victim’s employer. Organizations that fail to implement proper security controls may succumb to this attack, with a breach occurring shortly thereafter. In addition, these exposed credentials can be leveraged by attackers to compile a list of targets for spear phishing campaigns with the intent of penetrating a firm’s network.
Although there are never any guarantees when it comes to staying protected from a future breach, taking steps to develop an early warning system can help decrease an organization’s risk or at least minimize damage related to previously undetected activity. Subscription based threat intelligence databases that serve as a means of combing numerous deep and dark web forums can be an effective tool for discovering compromised credentials or ads offering illicit access to corporate networks. In addition, consultants with an expertise in foreign languages, hacker tradecraft, and dark web searches can often step in to perform critical functions that go far beyond the capabilities of any subscription service. Consequently, a budgeted outsourcing of annual deep and dark web searches or active threat monitoring can yield great dividends, resulting in risk management at a minimal expense. An ounce of prevention is worth a pound of cure, and there is no greater priority for attorneys than to protect their client’s secrets.
Author: Dennis Lawrence
[1] Figures are based on deep and dark web searches performed by Aon in March 2020.