[BreachExchange] Stolen Jones Day Law Firm Files Posted on Dark Web

[Destry Winant]

https://threatpost.com/stolen-jones-day-law-firm-files-posted/164066/

Jones Day, which represented Trump, said the breach is part of the
Accellion attack from December.

The Clop ransomware group has reportedly started posting data on the
Dark Web apparently stolen from law firm Jones Day, which represents
many of the globe’s most powerful people, including former president
Donald Trump in his efforts to overturn the 2020 election.

But the attack had nothing to do with politics, a person claiming to
be from the hacker group told Vice. Asked about the motivation, they
responded, “And what do you think? 😉 financial of course.”

The site DataBreached.net was first to report on the incident and
published screenshots of stolen Jones Day files that the Clop group
posted on the Dark Web as proof it has the goods. The group told
DataBreaches.net it didn’t encrypt the files, just stole copies of
information. The Clop crew also said Jones Day hasn’t responded to its
requests.

“Hi, they ignore us so they will be published,” DataBreaches.net
reported that the group responded.

A purported Clop ransomware hacker told the Wall Street Journal that
Jones Day was notified on Feb. 3 that the data had been stolen and, as
of Tuesday, Clop had not heard from the firm or discussed any ransom
payment.

Jones Day hasn’t responded to Threatpost’s request for comment.

Accellion FTA Breach

The ransomware group claims it stole the information directly from
Jones Day servers, but the firm denied that to the Wall Street
Journal, instead pointing to a widespread compromise of the FTA
file-sharing service from Accellion that emerged last December as the
point of attack.

The Journal added that the law firm Goodwin Procter LLP was also
compromised as a result of the Accellion breach. Several other
multi-national companies which use the Accellion file transfer service
have also been compromised, including Tier 1 telecom carrier Singtel
and Australian telecom company Optus.

Accellion reported that it became aware of a zero-day vulnerability in
its 20-year-old system on Dec. 23, but once the company came under
attack, a cascade of bugs ensued. But by February, company said the
system was fully patched.

“Accellion is conducting a full assessment of the FTA data security
incident with an industry-leading cybersecurity forensics firm,” a
statement from the company said in response to Threatpost’s inquiry
about the Jones Day breach. “We will share more information once this
assessment is complete. For their protection, we do not comment on
specific customers. We are working with all impacted FTA clients to
understand and mitigate any impact of this incident, and to migrate
them to our modern kiteworks content firewall platform as soon as
possible.”

The Wall Street Journal reported that it reviewed Clop’s stolen Jones
Day files, which included, “Accellion configuration files and logs
with references to Jones Day email and web addresses,” in addition to
unrelated files ripped off from a California hospital in 2016.

The Vulnerable Software Supply Chain

But, Lamar Bailey, senior director of security research at Tripwire,
told Threatpost that it’s possible the hackers have found another
vulnerability.

“If Jones Day releases the results of the investigation that is still
ongoing, that should point to the cause,” Bailey said. “It is possible
that the attacker is current, and Jones Day has not found the root
cause yet but that remains to be proven.”

Nonetheless, Bailey added, this should serve as a warning for
organizations to start taking a harder look at their software supply
chains.

“The old saying a chain is only as strong as its weakest link also
holds true for today’s extensive supply chains,” Bailey said. If one
of the products used by an organization is exploited, it opens up the
organization to breaches as well.”

Bailey recommends using proactive threat intelligence services to
detect and mitigate threats quickly.

“When an alert is received quickly, assess if  the vulnerable versions
of the hardware or software are in use and take remediation actions,”
Bailey explained. “If a supplier was breached, assess what access the
supplier had in the network and what data was accessible and then take
actions to lock it down until remediations are in place.”

More Accellion Breach Victims Likely

Niamh Muldon, global data protection officer at OneLogic ,said this
probably won’t be the last of the fallout from the Accellion breach.

“We are likely to see more breach disclosures originating from the
Accellion file-sharing data breach over the forthcoming months,”
Muldon said.

It’s critical, Muldon explained, for companies who fall victim to the
compromise to engage in transparent communications with partners and
clients about potential risks.

“Business leaders can take appropriate action now to help maintain the
trust with their customers, partners and employees,” Muldon added.
“They can achieve this by carrying out due-diligence with their
organization to understand if Accellion data file sharing tool is in
use and/or was in use in the past. Being transparent with customers,
partners and employees about this tool usage and potential exposure
allows for appropriate actions to be taken.”