Identity is the new perimeter: Once KeeLoader stole vault credentials-often including domain admin, vSphere, and backup service accountattackers moved fast. Using SSH, RDP, and SMB protocols, they quietly seized control of jump servers, escalated privileges, disabled multifactor authentication, and pushed ransomware payloads directly to VMware ESXi hypervisors.Jason Soroko of Sectigo called it a “textbook identity attack.” “By turning a trusted password safe into a credential harvesting mechanism, the adversary harvested domain admin passwords, vSphere root keys and service-account secrets that function as the organization’s digital identities,” he said. “Those stolen identities negated perimeter controls, neutralized Veeam backups and enabled hypervisor-level ransomware deployment.”The attack wasn’t just about malware. As Rom Carmel, co-founder and CEO at Apono, noted, “It hinged on identity and credential compromise.””By trojanizing KeePass, attackers gained access to a trove of stored credentials, including admin accounts, service accounts, and API keys, giving them the ability to move laterally and escalate privileges,” Carmel said. “The lesson learned: this breach highlights how unmanaged credentials and overprivileged identities, both human and non-human, are prime targets and key enablers in modern ransomware campaigns.” Open source: the double-edged sword: This campaign also highlights the risks of trusting open-source softwareor more precisely, the wrong source of it. KeePass itself wasn’t the problem, the ecosystem around it was. “This case touches on open-source usage and our trust in false advertizing,” Cipot added.Patrick Tiquet of Keeper Security echoed the concern. “This incident highlights a critical risk in relying on open-source applications, especially when downloading them from unofficial or unverified sources,” he said. “While open-source software can offer flexibility and transparency, it also presents unique attack surfaces.”Experts agreed on the remedy: treat software acquisition like identity, with verification. That means downloading from official sources, layering defenses like EDR and PAM, and enforcing zero-trust and zero-knowledge architectures wherever credentials are involved.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3992059/trust-becomes-an-attack-vector-in-the-new-campaign-using-trojanized-keepass.html
