Silent Ransom Group Uses Fake IT‑Support Calls to Extort U.S. Law Firms
What Happened – The Silent Ransom Group (aka UNC‑3753, Luna Moth, Chatty Spider) is conducting a social‑engineering campaign against U.S. law firms and professional‑services firms. Attackers start with invoice‑themed phishing emails that prompt victims to call a phone number, then impersonate IT help‑desk staff and force remote‑support sessions (Teams, Zoom, Quick Assist, etc.) to install RMM tools and exfiltrate data.
Why It Matters for TPRM –
- Legal practices store highly sensitive client, M&A, and regulatory data, making them prime extortion targets.
- Successful intrusions can lead to rapid data theft and reputational damage, forcing third‑party vendors to manage breach notifications and regulatory fallout.
- The tactic leverages “phone‑back” phishing, a low‑tech vector that bypasses many traditional email‑security controls.
Who Is Affected – Law firms, accounting firms, and other professional‑services organizations in the United States; downstream vendors that host or process legal data (e.g., cloud‑hosting, document‑management SaaS).
Recommended Actions –
- Review contracts for incident‑response and breach‑notification clauses with legal‑service providers.
- Verify that vendors enforce multi‑factor authentication and least‑privilege for remote‑support tools.
- Conduct phishing‑simulation training that includes “call‑back” scenarios and reinforce verification of IT‑support identities.
Technical Notes – Attack chain: invoice‑themed phishing email → phone call impersonating IT → remote‑support session (Teams/Zoom/Quick Assist) → installation of AnyDesk, Zoho Assist, Bomgar, or SuperOps → network foothold and data exfiltration. No known CVE exploitation; relies on social engineering and legitimate remote‑access utilities. Source: BleepingComputer