Dubious Document Destroyed at Law Firm

The Network: Our client is an established law firm with more than 225 lawyers with a long history of well-planned growth, enduring client relationships and leadership across more than eight decades. Multiple locations are supported by an IT team located at HQ. Law firms must safeguard sensitive information ranging from global contracts to mergers & acquisition data to pending court cases. EventTracker SIEM enables an additional layer of defense in depth with its 24/7 security monitoring capabilities.

The Expectation: The primary user is not an IT professional and therefore must be kept safe against malware that is prevalent today. Endpoints are maintained carefully with patching and a brand name anti-virus, and a properly configured firewall at each location. Given that attackers will exploit every possible vector, constant monitoring is needed.

The Catch: The EventTracker SOC (Security Operations Center) observed that the scanning module at the firewall reported a possibly malicious MS Word document was embedded in a web server request that originated in the network but to a server in Taiwan.

The Find: Although the MS Word document was dormant on the endpoint, a proactive assessment of its MD5 hash by the EventTracker SOC detected that it was malicious and contained the trojan called Valyria. US-CERT has warned about malicious Microsoft Word document that could contain Visual Basic for Applications (VBA) macros. These files can download and install malware, install proxy and remote access trojans (RATs), connect to command and control (C&C) servers to receive additional instructions, and modify the victim's firewall to allow incoming connections. The Department of Homeland Security (DHS) and the FBI identified trojan malware variants used by the North Korean government. This malware variant is known as TYPEFRAME. The U.S. Government refers to malicious cybersecurity activity by the North Korean government as HIDDEN COBRA.

The Fix: The EventTracker SOC analyst promptly alerted the administrator to delete this malicious MS Word document and recommended a thorough scan of the target. The law firm’s technical team confirmed that the document was unknown and performed a further scan that revealed a secondary infection. The machine was retired and re-imaged.

The Lesson: Attacks are continuous, and defense must be in depth. Merely deploying prevention technology is insufficient. Detection is a must with active SIEM monitoring along with proactive mitigation steps.