Marketo Marketplace – Cybercriminals are targeting major law firms

Cybercriminals published for sale in Dark Web 58GB of data stolen from Hollingsworth LLP.

One of the emerging underground marketplaces of stolen data ‘Marketo’ available in TOR network announced the publication of data presumably stolen from Hollingsworth LLP, one of the largest U.S.-based law firms. 

The information about the new victim of ransomware activity first has been published on Telegram channel of threat actors 7:14 AM Pacific Standard Time (PST). 

“It is not the first time, when cybercriminals are attacking law firms and organizations involved in legal services. Such enterprises typically aggregate large volumes of sensitive data belonging to their clients in face of businesses and individuals. Cyberespionage activity is often targeted on this vertical, and ransomware groups follow the same path to profit from data theft. ‘Marketo’ is known for attacking enterprises where the data leak will be critical for their business.” – said Gene Yoo, Chief Executive Officer of Resecurity, Inc., a Los Angeles-based cybersecurity company hunting on Dark Web actors.

Before the publication of listing of files exfiltrated from Hollingsworth LLP, ‘Marketo’ have published a data set presumably belonging to the Clearfield Borough Police Department (Pennsylvania) and the Municipal Court of Princeton (West Virginia) in ‘VIP Section’. According to the description, 28 GB of stolen data includes “appeal letters, accounting and audit information, amendment documents, information on taxes, on the clients’ agreements, assets and chats”. The motivation behind these cyberattacks remains unclear. “The U.S. judicial system will finally fly off in terms of security” – comment added by actors behind ‘Marketo’ in one of the postings.

Last year, another ransomware gang known as “REvil” attacked the New York-based firm, Grubman Shire Meiselas & Sacks, providing legal services to the entertainment and media industries. Their client list includes more than 200 high-profile celebrities, including Elton John, Rod Stewart, Lil Nas X, The Weekend and U2, as well as major corporations like Facebook, Sony, HBO and iHeartMedia. The threat actors stole over 756 GB of data from their network and threatened to release it in case the company won’t pay them.

Earlier this year, in February, the Clop ransomware group posted data apparently stolen from law firm Jones Day, which represents many of the globe’s most powerful people, including former president Donald Trump in his efforts to overturn the 2020 election. Jones Day, which represented Trump, said the breach was part of the Accellion campaign when the threat actors exploited a previously unknown remote code execution vulnerability in a file transfer sharing service. Another law firm, Goodwin Procter LLP was also compromised as a result of the Accellion breach. Several other multinational companies which use the Accellion file transfer service have also been compromised, including Tier 1 telecom carrier Singtel and Australian telecom company Optus.

Cybercriminals behind ‘Marketo’ activity position themselves as operators of an organized ‘marketplace of stolen data’ and not as a typical ransomware group distributing malicious code to disrupt IT operations by blocking the network of the victim and by encrypting available files on various data storage. 

One of the unique features provided by ‘Marketo’ – the ability to ‘bid’ on stolen data, which obviously creates competition between parties interested in data acquisition including the end victim. For today, the marketplace has over 3,248 registered users participating in it. Highly likely the threat actors use it as one of the tactics to add additional pressure on the victim company, because unknown third parties, including competitors or other cybercriminals, may buy their data and leverage it for malicious purposes. There are already 71 ‘bids’ submitted for Hollingsworth LLP registered today on “Marketo” marketplace. 

Other victims published on ‘Marketo’ include Siemens Gamesa Renewable Energy, American Signal Corporation, Line Energy, Navistar, Homewood Health, The City University of New York and over 45 other organizations.

The FBI is requesting $40 million in additional funding for its fiscal 2022 budget to help combat and counter ransomware attacks and other cyberthreats, Director Christopher Wray told a U.S. Senate subcommittee this week. In testimony Wednesday at a hearing of the Senate Appropriations Committee’s Commerce, Justice, Science, and Related Agencies Subcommittee, Wray said the FBI needs the extra funds to address cybercrime, ransomware and various other threats.

About the author: Gene Yoo (CEO, Resecurity)/Resecurity™ HUNTER (cyber threat intelligence and research unit)

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Marketo marketplace)

[adrotate banner=”5″]

[adrotate banner=”13″]