A ‘Top Tier’ Hacking Gang Is Likely To Be Behind Entrust Ransomware Attack

Following the news that:

A ‘top tier’ hacking gang is likely to be behind Entrust ransomware attack

Entrust ransomware attack likely to be work of ‘top tier’ hacking gang (techmonitor.ai)

Subscribe
Notify of
guest
6 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Barak.hadad
Barak.hadad , Head of Research
InfoSec Expert
July 27, 2022 11:56 am

“The consequences of this incident depend on the specific use case, but generally speaking, it could give attackers the ability to masquerade any user in the organization and gain access to the data that was accessible by that user, be it general records or private information.

It’s important to note that proper security is done in layers, and airgapping is a powerful layer but most organizations don’t use it properly because certain business functions require data to and from the “airgapped” network. So, while it sets the bar higher, an airgap isn’t bulletproof.”

Last edited 4 months ago by barak.hadad
Avishai Avivi
Avishai Avivi , CISO
InfoSec Expert
July 27, 2022 11:55 am

“Considering the security measures at Entrust, I believe the consequences are going to be somewhat limited. I believe that there will be increased scrutiny of the supply chain (including the Entrust partnership ecosystem). Considering that Entrust did not suffer any loss of operational capacity, it would seem that the ransomware group failed at least on the first aspect of the double-extortion, they failed in locking Entrust out of their files. Considering that Entrust is publicly saying they’re working with law enforcement tells me that they’re not concerned about the second aspect – that the information will be sold.

The air-gapped nature of the Entrust system would certainly make it much more difficult for malicious actors to gain access to that information, albeit not impossible. As there is not much information available on the specifics of the breach, we can speculate that the malicious actors behind this breach had the level of sophistication needed to bridge that air-gap.

I highly doubt this will rise to the same level of the Okta event. Consider that the first notice we got of this breach is through a screenshot of an Entrust breach notice to its customers, within a month of the breach. Okta took over two months to start notifying their customers. The Okta breach was only acknowledged publicly after the malicious actors publicly posted screenshots of their activity. It seems to me that Entrust is pursuing the correct course of action in addressing this breach.”

Last edited 4 months ago by Avishai Avivi
Avishai Avivi
Avishai Avivi , CISO
InfoSec Expert
July 27, 2022 11:52 am

“Considering the security measures at Entrust, I believe the consequences are going to be somewhat limited. I believe that there will be increased scrutiny of the supply chain (including the Entrust partnership ecosystem). Considering that Entrust did not suffer any loss of operational capacity, it would seem that the ransomware group failed at least on the first aspect of the double-extortion, they failed in locking Entrust out of their files. Considering that Entrust is publicly saying they’re working with law enforcement tells me that they’re not concerned about the second aspect – that the information will be sold.

The air-gapped nature of the Entrust system would certainly make it much more difficult for malicious actors to gain access to that information, albeit not impossible. As there is not much information available on the specifics of the breach, we can speculate that the malicious actors behind this breach had the level of sophistication needed to bridge that air-gap.

I highly doubt this will rise to the same level of the Okta event. Consider that the first notice we got of this breach is through a screenshot of an Entrust breach notice to its customers, within a month of the breach. Okta took over two months to start notifying their customers. The Okta breach was only acknowledged publicly after the malicious actors publicly posted screenshots of their activity. It seems to me that Entrust is pursuing the correct course of action in addressing this breach.”

Last edited 4 months ago by Avishai Avivi
Chris Hauk
Chris Hauk , Consumer Privacy Champion
InfoSec Expert
July 27, 2022 11:51 am

“At this point, we don’t know for sure exactly what data has been stolen. However, considering that customers include numerous sensitive U.S. agencies, including the Department of Homeland Security and the Department of the Treasury, this could prove to be a big breach. If the operation and security of Entrust’s product and services are truly air-gapped, it shouldn’t affect those operations. We’ll have to keep our fingers crossed that those services are properly air-gapped.”

Last edited 4 months ago by Chris Hauk
Paul Bischoff
Paul Bischoff , Privacy Advocate
InfoSec Expert
July 27, 2022 11:50 am

“It’s difficult to predict the consequences without knowing more information about the attack. In a worst case scenario, attackers would have been able to access keys, authorize new users, and/or modify existing authentication systems used by clients, including several federal US agencies. That would put those agencies at risk of further infiltration and attack. Entrust seems confident that user data and its products and services were not affected. I have no reason to think it’s lying. Entrust and Okta provide similar services to large government and corporate clients. Their services are both used to authenticate users on a given app or network, such as by setting up multifactor authentication. Therefore the knock-on effects we see from a breach at one company would presumably be similar to the other. However, it’s worth noting that Okta ended up not being that big of a deal: https://www.theverge.com/2022/4/20/23034360/okta-lapsus-hack-investigation-breach-25-minutes

Last edited 4 months ago by Paul Bischoff
6
0
Would love your thoughts, please comment.x
()
x