Close Menu
    Subscribe
    News

    Ongoing Targeted Campaign Against US Law Firms

    adminBy No Comments5 Mins Read


    Suspected UNC3753 Activity Involving Physical Access

    While UNC3753 primarily relies on digital vectors, GTIG assesses that associated threat actors have also attempted direct data theft using physical, in person access. This escalating tactic is corroborated by a recent FBI Cyber FLASH Alert highlighting instances where Silent Ransom Group threat actors leveraged physical office access to exfiltrate corporate data via removable USB media.

    According to the FBI advisory, if remote social engineering attempts fail, actors will send an individual to a victim’s physical location. The onsite threat actor will claim they need to image the device or create local backups to address a security issue. Once they gain access to the endpoint, they attempt to exfiltrate corporate data directly to an external drive.

    Although limited forensic evidence and the absence of a subsequent extortion attempt prevent formal attribution, GTIG assesses that these physical intrusions are likely associated with UNC3753 based on structural, timeline, and targeting overlaps.

    Attribution

    GTIG attributes this campaign and related social engineering operations to UNC3753 based on infrastructure overlaps, domain registrar tracking, victimology, and target staging directories. UNC3753 (aliases: “Luna Moth,” “Chatty Spider,” and “Silent Ransom Group (SRG)”) is a financially motivated threat cluster active since at least March 2022. UNC3753 has TTP overlaps with UNC2686, a threat cluster that conducted “Bazarcall” style campaigns dating to early 2021. UNC3753 deployed LOCKBIT.BLACK in 2022, but has since prioritized data theft extortion-only operations typically involving threats to post stolen files to the LEAKEDDATA DLS. The threat cluster relies heavily on Remote Monitoring and Management (RMM) tools, unlike UNC2686 which deployed BAZARLOADER variants as well as TRICKBOT, URSNIF, and SILENTNIGHT. Initially, UNC3753 used subscription-themed billing email lures (such as fake software renewal alerts), typically with PDF attachments containing phone numbers for actor-controlled call centers. Beginning around March 2025, the cluster shifted tactics to pose as internal corporate IT helpdesk staff.

    Remediation and Hardening

    To mitigate the risk of voice phishing, physical office intrusions, and unauthorized endpoint control, GTIG recommends that organizations implement the following mitigation controls:

    User Education

    Conduct user awareness training specifically tailored to UNC3753 tactics, techniques, and procedures.

    Physical Access and Verification Policies

    Implement rigid out-of-band identity verification controls for all external contractors, technical staff, and facilities visitors. Mandate the following physical controls:

    • Require visitors to display official credentials and photo identification.

    • Require front-desk staff to copy and log all physical visitor IDs before granting access.

    • Verify the arrival of all technicians against pre-scheduled work orders directly with the verified parent organization or helpdesk dispatcher.

    • Enforce a policy requiring physical technical service personnel to be escorted by a corporate supervisor at all times.

    Remote Access Conditional Access Controls

    Implement remote access conditional access policies to ensure only corporate owned devices can authenticate to Virtual Desktop Instance (VDI) or Virtual Private Network (VPN) devices. This facilitates increased organizational control and visibility for potential Remote Monitoring and Management usage. 

    Enforce Strict RMM and Screen-Sharing Software Controls

    Audit corporate environments to block the installation and execution of unauthorized remote monitoring, management, and support utilities. Enforce application control policies (e.g. Windows Defender Application Control or third-party endpoint protection tools) to restrict execution of non-approved binaries. Organizations may also consider restricting interactive screen-control features within authorized virtual meeting platforms like Zoom and Teams. 

    Endpoint Removable Media Hardening

    To neutralize physical exfiltration vectors, disable read/write capabilities for all external USB mass storage devices. Enforce Group Policy Objects (GPOs) or MDM configurations to restrict:

    Network Monitoring and Egress Control

    Monitor firewall logs, network flows, and endpoint execution logs for indicative exfiltration and staging actions. Specifically:

    • Block or alert on outbound connections to unauthorized file-sharing APIs and emails.

    • Ensure full session logging with bytes transferred is enabled within Firewall log configurations.

    • Monitor SSH traffic (Port 22) from internal VDIs and endpoints for high-volume WinSCP and Rclone transfers.

    Application Log and Access Auditing

    Review authentication and access metrics for critical document stores to identify bulk harvesting profiles.

    • Configure real-time alerts in iManage, SharePoint, and corporate email directories for rapid file searches, search-term spikes, and mass file downloads.

    • Implement multi-factor authentication (MFA) on business critical data repository applications, such as iManage. 

    • Implement strict BYOD authentication controls, requiring MFA step-up queries when accessing VDI nodes.

    Outlook and Implications

    The targeting of US legal and professional services organizations by financially motivated actors is a persistent industry risk. Legal services firms represent high-value targets for extortion actors. They maintain concentrated repositories of extremely sensitive client transaction files, merger and acquisition plans, client trade secrets, and corporate regulatory reports. Threat groups recognize that legal entities are subject to heavy reputational and regulatory exposure and may be highly motivated to resolve extortion situations quietly to protect their professional standing.

    Threat actors recognize that targeting the human element—specifically using voice-guided social engineering—enables them to easily bypass robust technical perimeters, web security gateways, and MFA configurations. 

    Finally, the integration of in-person, physical intrusions represents an escalation in threat capability. While log-based defenses and endpoint telemetry have matured, physical corporate boundaries are frequently protected only by administrative procedures. Organizations must transition to a unified security posture that treats physical facility access control and endpoint-based hardware policies as equal components of their defensive perimeter.

    Data Leak Site (DLS)

    UNC3753 utilizes the following web platform to disclose the identities of victims and their compromised data.

    Phishing Domains

    GTIG identified infrastructure registrations by suspected UNC3753 actors utilizing specific naming conventions, assessed as supporting their ongoing social engineering and vishing activities.

    • -itdesk[.]com

    • -it[.]com

    • -helpdesk[.]com

    Indicators of Compromise (IOCs) 

    To assist the wider community in hunting and identifying activity outlined in this blog post, we have included indicators of compromise (IOCs) in a GTI Collection for registered users.



    Source link

    Share.

    Related Posts

    Add A Comment

    Comments are closed.