Digital security giant Entrust has confirmed that it suffered a cyberattack where threat actors breached their network and stole data from internal systems. Entrust is a security firm focused on online trust and identity management, offering a wide range of services, including encrypted communications, secure digital payments, and ID issuance solutions. Depending on what data was stolen, this attack could impact a large number of critical, and sensitive, organizations who use Entrust for identity management and authentication. This includes US government agencies, such as the US Department of Energy, Department of Homeland Security, the Department of the Treasury, the Department of Health & Human Services, the Department of Veterans Affairs, the Department of Agriculture, and several more.
Hackers breached Entrust’s network in June. Approximately two weeks ago, a trusted source said that Entrust was breached on 18 June 2022 and that the hackers stole corporate data during the cyberattack. However, it wasn't until last week that the breach was publicly confirmed when security researcher Dominic Alvieri tweeted a screenshot of a security notice sent to Entrust's customers on 6 July.
"I am writing to let you know that on 18 June, we learned that an unauthorized party accessed certain of our systems used for internal operations. We have been working tirelessly to remediate this situation since that moment," reads a security notice from Entrust CEO Todd Wilkinson.
"The first thing I want to tell you is that, although our investigation is ongoing, we have found no indication to date that the issue has affected the operation or security of our products and services."
The security notice confirms that data was stolen from Entrust's internal systems. However, it is not known at this time if this is purely corporate data or customers' and vendors' as well. "We have determined that some files were taken from our internal systems. As we continue to investigate the issue, we will contact you directly if we learn information that we believe would affect the security of the products and services we provide to your organization." - Entrust.
Last week, Entrust said that they are working with a leading cybersecurity firm and law enforcement to investigate the attack but that it has not affected their operations. "While our investigation is ongoing, we have found no indication to date that the issue has affected the operation or security of our products and services, which are run in separate, air-gapped environments from our internal systems and are fully operational," Entrust said.
BleepingComputer learned that a well-known ransomware gang is behind the attack. While it is unclear if devices were encrypted during the attack, ransomware gangs commonly steal data before launching their encryptors to be used in double-extortion schemes. According to AdvIntel CEO, a ransomware operation purchased compromised Entrust credentials and used them to breach their internal network. "The responsible group operation relied on the trusted network of network access sellers to obtain initial access to Entrust environment which led to the subsequent encryption and exfiltration exposure via a known ransomware group," they said.
Unless Entrust pays a ransom demand, we will likely learn what ransomware operation was behind the attack when they publicly publish the stolen data. When we reached out to Entrust with questions about the ransomware attack, they told us they could not share any further details about the attack.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and offer technical reports like this from pour friends at Microsoft. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings