A “top tier” ransomware gang is likely to be behind an attack on digital identity provider Entrust, which provides services to tens of thousands of customers, an expert has told Tech Monitor. The company has confirmed an ongoing ransomware attack which has seen data from its internal systems stolen. The breach bears similarities to an attack earlier this year on another digital ID provider, Okta, and could have serious consequences.
It was confirmed this weekend that Entrust suffered a ransomware attack, starting with unknown perpetrators stealing a cache of internal data. A screenshot of a security notice sent to customers posted online explained details of the breach, which began on June 18.
In a statement confirming the incident yesterday, Entrust added that it has “found no indication to date that the issue has affected the operation or security of our products and services, which are run in separate, air-gapped environments from our internal systems,” but said it was working with a cybersecurity vendor and law enforcement agencies to investigate further. It is not clear if a ransom has been paid.
Entrust says it has more than 10,000 customers, mainly in banking and insurance, that use the company’s technology for “trusted identities, payments, and data protection”.
Tech Monitor has contacted Entrust for further information.
What are the implications of the Entrust ransomware attack?
Security analyst Sourfiane Tahiri told Tech Monitor that the only thing known so far about the attack is that someone with access to an Entrust back-end has had their credentials stolen.
Though no group has taken responsibility for the attack, Yelisey Boguslavskiy, head of threat research at security company AdvIntel, says it is likely to be the work of highly skilled attackers. “From the initial evidence that AdvIntel has regarding the Entrust breach, the group behind it is a top-tier actor, most likely close and operationally identical to teams like Cl0p, BlackCat, and, most importantly, Evil Corp infiltration teams,” he says.
The consequences of the attack will depend on the type of data stolen. If the criminals have managed to access customer information, the attack could be as dangerous as the Okta breach, where access was leaked to the company’s authentication platform via a third-party customer support engineer and more than 300 customers were impacted in a supply chain attack. This attack was the work of the prolific Lapsus$ hacking group.
In the case of Entrust, Boguslavskiy says the attacker is likely to have relied on a network of underground resellers to gain the stolen credentials, before working on ways to use the credentials to access Entrust’s systems. “They will use the same external and internal networks to make the maximum profit with maximum efficiency using the data they stole,” he says.
While customer data may be safe behind an air gap, some air gaps are safer than others, Boguslavskiy adds. “If the entirety of clients’ information was air-gapped, naturally, the actors could not access it,” he explains. “However, client information is often present beyond the air-gapped storages: via cloud services, local shares, and other operational resources that can be easily accessed during the network infiltration.”
The only thing that customers can currently do is draft up their responses in preparation for any further developments, states Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.
“Organisations should prioritise establishing from Entrust their level of involvement in the incident, but also kick start their incident response procedures if the scale of the breach increases,” he says.
Read more: UK lawyers warned to stop helping clients make ransomware payments