Trustwave SpiderLabs’ 2024 Professional Services Threat Landscape report highlights a surge in ransomware, supply-chain, and cloud-related attacks targeting information-rich professional services firms. The breaches threaten sensitive client data and can trigger severe financial penalties, reputational damage, and regulatory scrutiny.
#LockBit #BlackCatALPHV
#LockBit #BlackCatALPHV
Keypoints
- The professional services sector is experiencing a notable rise in ransomware, supply chain exposure, and attacks tied to emerging technologies, with the US as a major target.
- Firms hold sensitive IP, legal documents, and client data that are valuable on the Dark Web and can seed further malicious activity.
- Consequences go beyond downtime to include reputational harm, legal costs, fines, and heightened regulatory scrutiny.
- Threats overlap with other sectors but are tailored to the sector, frequently leveraging third-party vendors and misconfigurations related to cloud adoption.
- Top active threat actors include LockBit, BlackCat/ALPHV, and the 8Base group, driving ransomware campaigns against these firms.
- Attack patterns rely on familiar techniques—phishing, business email compromise, exploiting vulnerabilities, malware, and impersonation schemes using e-sign platforms like DocuSign and Adobe Sign.
MITRE Techniques
- [T1566] Phishing – All attack groups use phishing and related tricks to deceive targets; for example, “All attack groups use the same bag of tricks for attacking professional service organizations as other sectors. Phishing, Business Email Compromise, exploiting vulnerabilities, various types of malware, and gaining access via access and data brokers who operate on the Dark Web.”
- [T1195] Supply Chain Compromise – Cybercriminals are increasingly targeting trusted third-party vendors used by professional services and legal firms; “Cybercriminals are increasingly targeting trusted third-party vendors used by professional services and legal firms.”
- [T1486] Data Encrypted for Impact – Ransomware events are rising in this sector; “Ransomware: Professional services and legal entities have experienced a significant surge in ransomware attacks, with at least 142 firms being victimized over the past year with the US being hardest hit.”
- [T1078] Valid Accounts – Access is gained via external sources such as data brokers on the Dark Web; “gaining access via access and data brokers who operate on the Dark Web.”
Indicators of Compromise
- [Domain] – docuSign.com, adobe.com – used in attorney impersonation scams and to lure victims via e-sign platforms (examples: “esignature platforms like DocuSign and Adobe Sign” and fake invoices).