At a glance.
- GoTo customer data exposed in cloud storage data breach.
- LockBit’s success is no longer so secret.
GoTo customer data exposed in cloud storage data breach.
As we’ve discussed, popular password manager LastPass recently experienced a data breach during which intruders gained access to cloud storage. As Bleeping Computer explains, LastPass owner GoTo, a cloud-based remote working platform, shares the same third-party cloud storage service, and GoTo has now disclosed that the hackers who breached its development environment back in November also stole encrypted backups containing customer information. The attackers made off with an encryption key for a portion of that data as well.
Security Week reports that GoTo has begun distributing customer notification letters explaining that the attack impacted backups for several enterprise product tiers that were being stored in the cloud storage facility. In a notice posted online, GoTo’s chief executive Paddy Srinivasan stated, “Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere.” The compromised data vary by product but include account usernames, passwords (salted and hashed), deployment and provisioning information, One-to-Many scripts, multi-factor authentication (MFA) information, licensing and purchasing data, and the last four digits of credit card numbers. GoTo has responded by resetting the passwords of impacted users and reauthorizing MFA settings where applicable, and affected accounts will be migrated onto an enhanced Identity Management Platform for additional security. As the Verge recounts, in August LastPass disclosed that an unauthorized party had compromised a developer account, and the information stolen in that attack was used by hackers to access customer vaults in November.
Javvad Malik, security awareness advocate at KnowBe4, commented on the implications of encryption key theft. “Any breach is unfortunate for all those impacted. While in this case the data was encrypted, the fact that the decryption keys were also stolen renders the encryption worthless. Therefore, impacted customers should treat this as a complete breach of all data and take the necessary steps to protect themselves from any fallout. This can include changing their passwords. Also, be on the lookout for any phishing or social engineering scams which can be crafted using the stolen data.”
LockBit’s success is no longer so secret.
The LockBit threat group has been popping up in headlines a lot in recent weeks, and it’s considered one of the most prolific ransomware gangs of all time. The US Federal Bureau of Investigation has been investigating the group since 2020, and the Department of Justice reported that LockBit ransomware has so far impacted at least one thousand victims worldwide, earning its members tens of millions of dollars in ransom demands. Despite attempts to maintain a low profile, LockBit has recently attracted more attention from the cybersecurity community after launching attacks on notable institutions like the UK’s Royal Mail and the SickKids children’s hospital in Canada. LockBit is also notorious for hacking manufacturing and industrial control systems; security firm Dragos estimates that in the second and third quarters of 2022, LockBit malware was used in 33% of ransomware attacks on industrial organizations and 35% of those against infrastructure. What’s the secret to the operation’s success? Analyst1 chief security strategist Jon DiMaggio told Wired, “They are the most notorious ransomware group, because of sheer volume. And the reason for their success is that the leader is a good businessman.” Indeed, LockBit’s leader runs the operation like a business, distributing a ransomware product that’s easy to use, regularly updating the software, and taking user feedback into account.
First appearing in 2019 as ABCD ransomware, LockBit is a ransomware-as-a-service (RaaS) operation with a twist: Instead of the group sharing a cut of its profits with its affiliates, the affiliates collect payment from their victims directly and then forward a fee to LockBit’s core members. The gang is also savvy about finding new ways to squeeze payments out of its victims. Peter Mackenzie, director of incident response at security firm Sophos, explains, “They've got different ways of paying. You could pay to have your data deleted, pay to have it released early, pay to extend your deadline.” Adding to the pressure, LockBit allows rival companies to purchase stolen data. Some experts argue what has made LockBit so successful is its ability to stay out of the spotlight, but its recent notoriety could change all of that. Jérôme Segura, senior director of threat intelligence at Malwarebytes, says, “The bragging, hitting some pretty critical infrastructure, and high-visibility targets is a very dangerous game they're playing. LockBit has a big target on its back right now.”