Lead Story | Critical — Active Threat | Enterprise · IT Ops |
|
Silent Ransom Group Sends Operatives Into Law Firm Offices — FBI Warns of Physical USB Data Theft With No Detectable Malware
The extortion gang behind 100+ confirmed law firm intrusions now dispatches operatives to impersonate IT staff on-premises, connect USB storage devices to workstations, and leave with client data — generating no malware alert, no encrypted files, and no incident ticket until a ransom demand arrives weeks later.
The Silent Ransom Group — known to researchers as Luna Moth, Chatty Spider, and UNC3753 — now sends operatives into law firm offices, impersonating IT staff and plugging USB storage devices directly into workstations. No ransomware runs and no files are encrypted, so workstation sessions continue normally. The FBI’s May 26, 2026 FLASH advisory flags the in-person tactic as an active escalation; researchers count 100+ attacks, with 38 firms’ data posted to the group’s public leak site, including Orrick, Herrington & Sutcliffe and Jones Day. FBI IC3 FLASH → Bleeping Computer →
Law firms are targeted for extortion leverage: attorney-client communications, M&A documentation, and IP litigation files can damage the firm and its clients simultaneously. Endpoint and AV controls raise no alert when staff copy files to removable media for someone who walked in the front door. Canadian law firms hold PIPEDA-regulated client data; a theft of this kind triggers mandatory breach-reporting obligations to the Privacy Commissioner of Canada. OPC →
→ Key Takeaway The Silent Ransom Group combines social engineering phone calls with physical office access, bypassing endpoint detection, antivirus, and DLP controls entirely. The FBI FLASH advisory confirms no malware is deployed — the standard detection stack produces no warning. Action: Ask your facilities and security teams whether visitors claiming IT credentials are verified against known staff before accessing workstations, and confirm that removable media policies are enforced at the endpoint level, not just in policy documents. |
Quick Hits
| 01 |
Malicious npm Package Silently Stole Files From Claude AI’s Working Directory — 676 Downloads and Still Live at Disclosure
OX Security researchers discovered “mouse5212-super-formatter” on npm: a package designed to recursively copy every file from /mnt/user-data — Anthropic’s Claude AI tool’s working directory — and exfiltrate them to an attacker-controlled GitHub repository. The malware author, apparently using AI to write the malicious code, leaked their own GitHub private token in the package, letting researchers trace the full extent of the operation; the attacker’s GitHub account has since been deleted, but the package remained live on npm at the time of disclosure. Developers who installed this package in environments where Claude processes sensitive files should treat /mnt/user-data contents as potentially compromised. The Hacker News → The Register →
| High — AI Supply Chain Attack | Dev · Cloud+DevOps |
|
CVE Watch
|
CVE Watch
CVE-2026-8398 (DAEMON Tools Lite): Signed Backdoor in Official Installer — Update to 12.6.0 and Hunt for C2 Callbacks
Attackers compromised AVB Disc Soft’s build or distribution infrastructure and trojanized three binaries — DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe — all signed with the vendor’s legitimate code-signing certificate, enabling the malicious installers to pass AV and Windows SmartScreen checks. The compromised installers were distributed from daemon-tools.cc between April 8 and May 5, 2026; affected versions span 12.5.0.2421 through 12.5.0.2434. On each startup the implant beacons out to env-check.daemontools[.]cc and runs whatever command the server returns through cmd.exe, giving the operator persistent hands-on access to the host. DAEMON Tools Lite 12.6.0 removes the compromised files; CISA’s KEV mitigation guidance also accepts downgrading to 11.2.1 or uninstalling the software entirely. Organizations on affected versions should update immediately and conduct endpoint threat-hunting for outbound connections to env-check.daemontools[.]cc. NVD → Bleeping Computer →
| Vendor: AVB Disc Soft (DAEMON Tools Lite) · CVE: CVE-2026-8398 · CVSS: 9.8 (v3.1) / 9.3 (v4.0) — Critical (NVD confirmed) · Attack Vector: Network (supply chain via official installer) · Affected: DAEMON Tools Lite 12.5.0.2421–12.5.0.2434 · Fix: DAEMON Tools Lite 12.6.0 · Status: CISA KEV confirmed active exploitation, May 27, 2026 |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — DE.CM-03 — Detect: Continuous Monitoring
USB Connections and Physical Access Events Are Personnel Activity — DE.CM-03 Requires You to Monitor Both
NIST CSF 2.0 DE.CM-03 requires that “Personnel activity and technology usage are monitored to find potentially adverse events” — a scope that covers removable storage device connections, physical access records, and workstation session activity, not just network traffic logs. The Silent Ransom Group exploits the gap between network-centric monitoring and physical monitoring: no malware triggers endpoint detection, but a USB connection event, an unrecognized visitor record, or an unusual workstation session during an unscheduled office visit each represent detectable signals when the right controls are in place. Action: Ask your security team whether endpoint controls log and alert on removable media connections, and whether physical access records are correlated with workstation session activity for anomaly detection. NIST CSF 2.0 reference: csf.tools/de-cm-03 →
|
On Our Radar
UEFI Secure Boot KEK certificate expiry — June 24, 2026 (26 days): Microsoft’s Corporation KEK CA 2011 expires June 24; the UEFI CA 2011 follows June 27; the Windows Production PCA 2011 expires October 2026. Organizations with dual-boot Linux configurations or air-gapped systems not receiving automatic firmware updates should confirm remediation plans now. Tracking since Issue #039. Microsoft Support →
|
