Following the news that:
A ‘top tier’ hacking gang is likely to be behind Entrust ransomware attack
Entrust ransomware attack likely to be work of ‘top tier’ hacking gang (techmonitor.ai)
Following the news that:
A ‘top tier’ hacking gang is likely to be behind Entrust ransomware attack
Entrust ransomware attack likely to be work of ‘top tier’ hacking gang (techmonitor.ai)
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
“The consequences of this incident depend on the specific use case, but generally speaking, it could give attackers the ability to masquerade any user in the organization and gain access to the data that was accessible by that user, be it general records or private information.
It’s important to note that proper security is done in layers, and airgapping is a powerful layer but most organizations don’t use it properly because certain business functions require data to and from the “airgapped” network. So, while it sets the bar higher, an airgap isn’t bulletproof.”
“Considering the security measures at Entrust, I believe the consequences are going to be somewhat limited. I believe that there will be increased scrutiny of the supply chain (including the Entrust partnership ecosystem). Considering that Entrust did not suffer any loss of operational capacity, it would seem that the ransomware group failed at least on the first aspect of the double-extortion, they failed in locking Entrust out of their files. Considering that Entrust is publicly saying they’re working with law enforcement tells me that they’re not concerned about the second aspect – that the information will be sold.
The air-gapped nature of the Entrust system would certainly make it much more difficult for malicious actors to gain access to that information, albeit not impossible. As there is not much information available on the specifics of the breach, we can speculate that the malicious actors behind this breach had the level of sophistication needed to bridge that air-gap.
I highly doubt this will rise to the same level of the Okta event. Consider that the first notice we got of this breach is through a screenshot of an Entrust breach notice to its customers, within a month of the breach. Okta took over two months to start notifying their customers. The Okta breach was only acknowledged publicly after the malicious actors publicly posted screenshots of their activity. It seems to me that Entrust is pursuing the correct course of action in addressing this breach.”
“Considering the security measures at Entrust, I believe the consequences are going to be somewhat limited. I believe that there will be increased scrutiny of the supply chain (including the Entrust partnership ecosystem). Considering that Entrust did not suffer any loss of operational capacity, it would seem that the ransomware group failed at least on the first aspect of the double-extortion, they failed in locking Entrust out of their files. Considering that Entrust is publicly saying they’re working with law enforcement tells me that they’re not concerned about the second aspect – that the information will be sold.
The air-gapped nature of the Entrust system would certainly make it much more difficult for malicious actors to gain access to that information, albeit not impossible. As there is not much information available on the specifics of the breach, we can speculate that the malicious actors behind this breach had the level of sophistication needed to bridge that air-gap.
I highly doubt this will rise to the same level of the Okta event. Consider that the first notice we got of this breach is through a screenshot of an Entrust breach notice to its customers, within a month of the breach. Okta took over two months to start notifying their customers. The Okta breach was only acknowledged publicly after the malicious actors publicly posted screenshots of their activity. It seems to me that Entrust is pursuing the correct course of action in addressing this breach.”
“At this point, we don’t know for sure exactly what data has been stolen. However, considering that customers include numerous sensitive U.S. agencies, including the Department of Homeland Security and the Department of the Treasury, this could prove to be a big breach. If the operation and security of Entrust’s product and services are truly air-gapped, it shouldn’t affect those operations. We’ll have to keep our fingers crossed that those services are properly air-gapped.”
“It’s difficult to predict the consequences without knowing more information about the attack. In a worst case scenario, attackers would have been able to access keys, authorize new users, and/or modify existing authentication systems used by clients, including several federal US agencies. That would put those agencies at risk of further infiltration and attack. Entrust seems confident that user data and its products and services were not affected. I have no reason to think it’s lying. Entrust and Okta provide similar services to large government and corporate clients. Their services are both used to authenticate users on a given app or network, such as by setting up multifactor authentication. Therefore the knock-on effects we see from a breach at one company would presumably be similar to the other. However, it’s worth noting that Okta ended up not being that big of a deal: https://www.theverge.com/2022/4/20/23034360/okta-lapsus-hack-investigation-breach-25-minutes“