Trust Use Trojanized Keepass to become an attack vector in new activities

Sectigo’s Jason Soroko called it a “textbook identity attack.” “By turning trustworthy password security into credential harvesting mechanisms, the secrets of domain management passwords gained by opponents, vSphere root keys and service elements, these secrets are the organization’s digital identities,” he said. “Those stolen identities deny peripheral controls, neutralized Veeam backups and enable hypervisor-level ransomware deployments.”

Attacks are not just malware. As Apono’s co-founder and CEO Rom Carmel pointed out, “it depends on identity and certificate compromise.”

“Through Trojanizing Keepass, attackers can access a range of stored credentials, including administrator accounts, service accounts, and API keys, enabling them to move sideways and upgrade privileges,” Carmel said. “Lessons learned from this: This vulnerability emphasizes that unmanaged certificates and over-private identities for humans and non-humans are the main targets and key enablers in the modern ransomware movement.”

Open Source: Double-edged Sword

The campaign also highlights the risk of trusting open source software, or rather, the source of errors. Keepass itself is not a problem, but the surrounding ecosystem. “This situation involves open source usage and our trust in fake advertising,” Cipot added.