惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Cloudflare Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
The Blog of Author Tim Ferriss
G
Google Developers Blog
小众软件
小众软件
J
Java Code Geeks
V
Visual Studio Blog
The Register - Security
The Register - Security
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
罗磊的独立博客
美团技术团队
阮一峰的网络日志
阮一峰的网络日志
V
V2EX
博客园 - 叶小钗
N
Netflix TechBlog - Medium
月光博客
月光博客
aimingoo的专栏
aimingoo的专栏
大猫的无限游戏
大猫的无限游戏
T
The Exploit Database - CXSecurity.com
The Hacker News
The Hacker News
Cisco Talos Blog
Cisco Talos Blog
Hacker News: Ask HN
Hacker News: Ask HN
Hacker News - Newest:
Hacker News - Newest: "LLM"
AWS News Blog
AWS News Blog
Webroot Blog
Webroot Blog
The Last Watchdog
The Last Watchdog
T
Threatpost
I
Intezer
T
Tenable Blog
L
LINUX DO - 热门话题
T
Tailwind CSS Blog
Scott Helme
Scott Helme
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
C
Cybersecurity and Infrastructure Security Agency CISA
Engineering at Meta
Engineering at Meta
S
Schneier on Security
Recent Announcements
Recent Announcements
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
F
Fortinet All Blogs
腾讯CDC
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
T
Troy Hunt's Blog
量子位
H
Hacker News: Front Page
V2EX - 技术
V2EX - 技术
Google Online Security Blog
Google Online Security Blog
人人都是产品经理
人人都是产品经理
博客园 - 【当耐特】
博客园 - Franky
www.infosecurity-magazine.com
www.infosecurity-magazine.com

Recorded Future

The Threat Isn’t the Frontier Model Iran-Nexus TAG-182 Disseminates MarkiRAT Surveillance Tool Where Expertise Meets Algorithm: The Insikt Group® Intelligence Edge Evaluating Mexico’s New Cybersecurity Plan The Purchase Scam Tactic Headed for the World Cup | Recorded Future FortiBleed Campaign Exposing Credentials for 73,932 FortiGate Systems The Klue Security Incident and Its Impact on Recorded Future State Digital Surveillance Risk Landscape The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine Cyber-Enabled Maritime Sanctions Evasion Recorded Future Launches Impact and Metrics Dashboard 2026 FIFA World Cup: What Public Safety Officials Need to Know China's Noncombatant Evacuation Operations: 2005–2025 Russia’s Defense-Based Economy Risks Forcing Putin to Fight Wars May 2026 CVE Landscape Why Holistic Sourcing Wins: The Numbers Behind the Recorded Future Advantage Threats to the 2026 FIFA World Cup Remembering Sir Alex Younger Iran Expands Handala Brand to Physical Threats The Vulnerability Flood Is Now a Board Conversation. Here's How to Lead It. At Mythos Speed: A Defender's Playbook for the AI Vulnerability Surge in 2026 April 2026 CVE Landscape Beyond Acceleration and Automation: How AI + Intelligence Changes Cyber Defense NIST NVD Enrichment Policy Change: Prioritizing Vulnerabilities with Attacker Behavior Signals A Complete History of Cybersecurity: From Early Viruses to AI-Powered Threats The Different Types of Payment Fraud and How to Prevent Them Digital Citizenship Glossary: Key Terms Every Internet User Should Know Quantum Risk Explained Threat Activity Enablers: The Backbone of Today’s Threat Landscape Recorded Future Named a Leader in the 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies. And there’s more. Hacking Embodied AI Working in London at the World’s Largest Intelligence Company Risk Scenarios for the US’s Strategic Pivot Building with AI: Here's What No Briefing Will Tell You Lazarus Doesn't Need AGI The Money Mule Solution: What Every Scam Has in Common From Overwhelmed to Autonomous: Rethinking Threat Intelligence in 2026 Critical minerals and cyber operations Today, trust is the superpower that makes innovation possible AI Hype vs. Reality: Is AI Really Rewriting the Vulnerability Equation? Evolution of Chinese-Language Guarantee Telegram Marketplaces Emerging Enterprise Security Risks of AI From Bazooka to Fake Nikes Your Supply Chain Breach Is Someone Else's Payday 4 Essential Integration Workflows for Operationalizing Threat Intelligence Recorded Future Iran War: Future Scenario and Business Implications A New Way to Buy Recorded Future: Solutions and Packages Built for the 2026 Threat Landscape March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day VIP Credential Monitoring Blog Third-Party Risk Is an Intelligence Operation. It's Time We Treated It Like One. Understanding and Anticipating Venezuelan Government Actions The Iran War: What You Need to Know Day in the Life: Product Manager at Recorded Future Panorama del cibercrimen en América Latina y el Caribe Latin America and the Caribbean Cybercrime Landscape Panorama do cibercrime na América Latina e Caribe Industrialization of the Fraud Ecosystem Blog The Shift: An Era of Quantum Geopolitics ClickFix Campaigns Targeting Windows and macOS 2025 Year in Review: Malicious, Infrastructure 2025 Identity Threat Landscape Report: Inside the Infostealer Economy: Credential Threats in 2025 February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January Latin America's Cybersecurity Turning Point: From Reactive Defense to Threat Intelligence Recorded Future Expands Coverage of Scams and Financial Fraud with Money Mule Intelligence from CYBERA January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day Preparing for Russia’s New Generation Warfare in Europe 2025 Cloud Threat Hunting and Defense Landscape GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack Network Intelligence: Your Questions, Global Answers Fragmentation Defined 2025's Threat Landscape. Here's What It Means for 2026 State of Security Report | Recorded Future From 27 Steps to 5: How Recorded Future Reimagined Threat Hunting with Autonomous Threat Operations Rublevka Team: Anatomy of a Russian Crypto Drainer Operation Autonomous Threat Operations in action: Real results from Recorded Future’s own SOC team | Recorded Future PurpleBravo’s Targeting of the IT Software Supply Chain Threat and Vulnerability Management in 2026 Best Ransomware Detection Tools December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity Practitioners Reveal What Makes Threat Intelligence Programs Mature GRU-Linked BlueDelta Evolves Credential Harvesting New ransomware tactics to watch out for in 2026 Digital Threat Detection Tools & Best Practices BlueDelta’s Persistent Campaign Against UKR.NET The $0 Transaction That Signaled a Nation-State Cyberattack China’s Zero-Day Pipeline: From Discovery to Deployment Cyber on the Geopolitical, Battlefield: Beyond the, “Big Fourˮ What’s Next for Enterprise Threat Intelligence in 2026 Palestine Action: Operations and Global Network Implications of Russia-India-China Trilateral Cooperation GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October 5 Real-Word Third-Party Risk Examples When the Digital World Turns Physical: The Expanding Role of Threat Intelligence in Executive Protection Critical React2Shell Vulnerability Under Active Exploitation by Chinese Threat Actors The Bug That Won't Die: 10 Years of the Same Mistake Intellexa’s Global Corporate Web The Maturity Gap: The Next Frontier in Threat Intelligence Inside the CopyCop Playbook: How to Fight Back in the Age of Synthetic Media AI Malware: Hype vs. Reality
The Hidden Cascade: Why Law Firm Breaches Destroy More than Data
2025-12-05 · via Recorded Future

In the wake of the Salesforce/Gainsight breach (kudos to Salesforce for transparently sharing indicators of compromise and updated progress on remediation), third-party cyber and exposure risk is top of mind for many CISOs. Professional services firms are often overlooked in this context, with disastrous consequences.

Law firms, specifically, are particularly vulnerable to creating downstream risk impacts given the nature and purpose of legal services, and adversary targeting is on the rise.

The numbers paint a stark reality. Twenty % of US law firms were targeted by cyberattacks in the past year, with 56% of breached firms losing sensitive client information. The average breach cost reached $5.08 million, representing a 10% year-over-year increase that excludes long-term reputational damage and client defection.

RansomHub has emerged as 2025’s dominant threat after absorbing talent from disrupted groups like LockBit and ALPHV/BlackCat. By offering affiliates a 90/10 profit split versus the standard 70/30, they’ve attracted the most capable operators in the underground economy. Qilin’s Rust-based ransomware has specifically targeted legal entities with encryption-resistant payloads, making recovery nearly impossible.

Qilin ransomware profile c/o Recorded Future

The chart below, derived from Recorded Future analyst notes tracking ransomware extortion sites, illustrates the growth in ransomware targeting by industry, with legal firms remaining the number one target.

Ransomware victims industry comparison in 2024 and 2025.

These aren’t opportunistic attacks. Threat actors now maintain “dwell times” exceeding weeks inside firm networks, systematically identifying crown jewel intelligence before triggering extortion events. Industrialization means attackers understand exactly what creates maximum leverage: M&A intelligence during active deals, litigation strategies before trial, and decades of retained client data across multiple matters.

Recorded Future telemetry from the past quarter indicates that over 20 observed legal or legally adjacent firms have malware communicating with malicious command-and-control (C2) servers. While the observed traffic was 24 hours or less for some firms, other organizations saw persistence above 5 days. Certainly, a malicious implant does not equate to a full breach and exfiltration of client-sensitive data; however, it is a valuable signal to monitor for changes in third-party and fourth-party risk.

rxkipoqeu6

Infographic depicting recent malware dwell times in global legal firm victims

When Privilege Becomes Your Adversary’s Weapon

Courts have systematically eroded attorney-client privilege protection for breach investigations, creating a dangerous trap where forensic reports become ammunition for adversaries. The Capital One decision ordered production of Mandiant’s forensic report because the investigator served “business purposes” rather than pure legal advice.

The cascade accelerates through “sword and shield” waiver doctrine. Any use of breach investigation findings, even citing them in discovery responses, can trigger a subject matter waiver, requiring disclosure of all privileged communications related to threat assessment and remediation strategy. The 2024 Samsung Data Breach ruling made this explicit: sharing reports with 15 executives indicated business decision-making use, defeating privilege.

Federal Rule of Evidence 502 creates additional exposure when companies share incident reports with regulators. The 2023 Covington & Burling case saw the SEC subpoena the firm for names of 298 publicly-traded clients whose data “may have been exfiltrated,” though a court eventually ruled that only seven clients had to be named, it did establish that law firms cannot completely shield client identity from regulators, and those clients could then face SEC investigation for failure to disclose their counsel was breached.

M&A Intelligence Monetization at Scale

When Berkeley Research Group was hit by ransomware in March 2025 during a $700 million leveraged buyout by TowerBrook Capital Partners, the attack exposed M&A intelligence across hundreds of concurrent deals. This wasn’t just data theft; it was a systematic opportunity for market manipulation.

Academic research quantifies the damage. The Intralinks/Cass Business School study found 8-10% of M&A deals leak annually, with leaked deals achieving 47% median premiums versus 27% for non-leaked deals, which is a 20 percentage point difference worth millions per transaction. Only 49% of leaked deals complete versus 72% of non-leaked deals.

The Tyler Loudon case (2024) demonstrated the benefits of access when the defendant stole M&A information from his attorney wife, resulting in insider trading charges.

The Systematic Failure to Assess Professional Services Risk

Only 30% of law firms report clients asking them to complete security questionnaires (not that attestations are a wholly competent method for determining exposure risk), compared to a near-universal requirement for SaaS vendors. This exemption culture may stem from relationship bias and the misconception that “they’re not a tech vendor” despite law firms operating technology-intensive businesses.

The data concentration goes untracked. A single firm may hold M&A details, employee PII, trade secrets, litigation strategies, regulatory issues, and executive compensation across multiple business units that operate independently. The Orrick breach (2023) exposed 637,000+ individuals precisely because the firm aggregated data from employment litigation, mergers and acquisitions (M&A) transactions, and patent filings.

Retention amnesia compounds the risk. Lawyers traditionally “keep everything forever” due to a risk-averse culture, and potential regulatory requirements. Data from cases in the 1990s may still exist on unpatched legacy servers. Each year of retention adds cumulative breach exposure, yet enterprises rarely ask law firms about deletion policies or data locations.

Strategic Actions for Enterprise Defense

Treating professional services firms as high-risk technology vendors requires structural changes to vendor management frameworks.

  • Eliminate standing exemptions: Subject law and consulting firms to the same security requirements as SaaS vendors, including SOC 2 verification, independent audits, and quarterly assessments, without granting relationship-based waivers.
  • Map concentration risk: Identify all professional services vendors with data access across business units. Calculate total organizational exposure when single firms hold aggregated intelligence across HR, legal, finance, and compliance matters.
  • Audit fourth-party dependencies: Require disclosure of critical vendors, including MSPs, cloud providers, SaaS vendors, and document management systems. A breach of fourth-party infrastructure becomes your breach through the use of API tokens, credential harvesting, and VPN pivoting.
  • Establish time-bound access: Implement purpose-limited credentials that expire at the conclusion of a matter. Eliminate long-lived access that persists in engagement reports and consulting code repositories.
  • Define retention requirements: Specify data deletion periods in contracts with confirmation requirements. Audit compliance quarterly, as many firms retain data indefinitely on legacy systems.
  • Deploy breach detection: Place honeytokens in systems accessible to professional services firms. Establish 24-48 hour notification SLAs with emergency credential rotation capabilities.
  • Create specialized incident response protocols: Develop playbooks specifically for law firm breaches addressing privilege complications, litigation exposure assessment, and regulatory notification requirements.
  • Use threat intelligence to map services firms’ domain and IP space. Use the infrastructure map to monitor and alert on observed traffic between malware implants and command-and-control (C2) infrastructure. Recorded Future's Third-Party Intelligence automates this monitoring across your entire vendor ecosystem, providing real-time alerts when professional services firms show compromise indicators. Combined with Ransomware Mitigation capabilities, organizations can track ransomware group TTPs, monitor extortion sites, and receive early warnings when vendors appear on leak sites. Immediately notify affected service providers, disable organizational access, and assist in remediation.

Wrap-Up

The evidence from 2025 makes the stakes undeniable. With 21 law firm breaches in just the first five months of 2024 and incidents like Williams & Connolly’s nation-state compromise and Berkeley Research Group’s ransomware during active M&A, the pattern is clear.

When your law firm holding decades of critical data gets breached, you don’t have a vendor incident. You have a strategic intelligence compromise with multi-year competitive implications that traditional third-party risk frameworks didn’t adequately contemplate, as they exempt “trusted advisors” from the security scrutiny their data concentration demands. The shift from relationship-based trust to risk-based verification isn’t optional; it’s survival.

Learn how Recorded Future's Ransomware Mitigation and Third-Party Intelligence solutions work together to protect against cascading vendor risk. From tracking ransomware groups targeting legal firms to monitoring your vendors for real-time compromise indicators, you can detect and respond to vendor compromises before they cascade into your organization.