The Federal Bureau of Investigation (FBI) has issued a warning to law firms regarding a series of sophisticated social engineering attacks orchestrated by a cybercriminal group known as Luna Moth. Active since at least 2022, Luna Moth employs advanced phishing techniques to infiltrate systems, exfiltrate sensitive data, and extort victims.
Understanding Luna Moth’s Tactics
Luna Moth, also referred to as Chatty Spider, Silent Ransom Group (SRG), Storm-0252, and UNC3753, has been targeting law firms over the past two years. Their primary method involves callback phishing or telephone-oriented attack delivery (TOAD). In this approach, victims receive phishing emails that appear to be legitimate communications related to invoices or subscription payments. These emails prompt recipients to call a customer support number to cancel a premium subscription within a specified timeframe to avoid charges.
Once the victim initiates the call, the attackers, posing as customer support representatives, guide them to install remote access software under the pretense of assisting with the cancellation process. This installation grants the attackers unauthorized access to the victim’s system, enabling them to exfiltrate sensitive data. Subsequently, the attackers send an extortion note demanding payment to prevent the public release or sale of the stolen information.
Evolution of Attack Strategies
In March 2025, Luna Moth adapted their tactics by directly calling individuals within targeted organizations, impersonating internal IT department staff. During these calls, they instruct employees to join a remote access session, either through an emailed link or by navigating to a specific webpage. Once access is granted, the attackers claim that maintenance work will be performed overnight. This strategy allows them to escalate privileges and use legitimate tools like Rclone or WinSCP to exfiltrate data without raising immediate suspicion.
Use of Legitimate Tools to Evade Detection
Luna Moth’s use of genuine system management and remote access tools, such as Zoho Assist, Syncro, AnyDesk, Splashtop, and Atera, complicates detection efforts. These tools are commonly used for legitimate purposes, making it challenging for security systems to flag their unauthorized use. If the compromised device lacks administrative privileges, the attackers utilize portable versions of WinSCP to facilitate data exfiltration. This method has proven highly effective, leading to multiple successful compromises.
Indicators of Compromise
Organizations should remain vigilant for the following signs of potential compromise:
– Unusual connections from WinSCP or Rclone to external IP addresses.
– Emails or voicemails from unknown sources claiming data theft.
– Emails regarding subscription services that include a phone number and request a call to cancel pending charges.
– Unsolicited phone calls from individuals claiming to be from the organization’s IT department.
Recommendations for Mitigation
To protect against these sophisticated attacks, the FBI recommends the following measures:
– Employee Training: Educate staff about social engineering tactics and the importance of verifying unsolicited communications.
– Verification Protocols: Implement procedures to confirm the identity of individuals requesting remote access or sensitive information.
– Access Controls: Limit administrative privileges and monitor the use of remote access tools.
– Network Monitoring: Regularly review network activity for unusual patterns or unauthorized access attempts.
– Incident Response Plan: Develop and maintain a comprehensive plan to address potential security breaches promptly.
Conclusion
The Luna Moth group’s evolving tactics underscore the need for heightened vigilance and robust security measures within law firms and other targeted organizations. By understanding these threats and implementing proactive defenses, organizations can better protect their sensitive data and maintain client trust.
