08.29.22

Corvus Threat Intel

LastPass Source Code Stolen, Lockbit Ransomware, SaaS Platforms & Phishing Pages

LastPass source code is stolen by hackers, Lockbit Ransomware launches a crippling attack against a French hospital, and SaaS platforms are increasingly used to host phishing pages.

LastPass Source Code Stolen by Hackers

The popular password management tool, LastPass, reported an incident in which hackers stole some of its source code. After compromising an employee account, the attackers gained access to the developer environment. Once inside the network, hackers were able to access LastPass source code as well as other proprietary technical information. Customers’ Master Passwords were not exposed, the company reported. Additionally, LastPass stated that the threat actor did not gain access to personal data on any of its 33 million users, nor their stored passwords. No action was recommended for users of the LastPass platform. The incident is being investigated by a third-party forensics firm and no other details are available on how the successful compromise took place.

Why This Matters

The compromise of a password manager is particularly chilling. While LastPass claims that the hackers were not able to steal user data, any unauthorized access of a password manager is highly disconcerting. It’s unclear whether we’ve heard the end of this incident and what the ramifications are for stolen source code. In either case, this highlights the importance of enabling MFA on your accounts. This provides an extra layer of security even if a username and password are compromised.

Additional Information:



Lockbit Ransomware Behind Crippling French Hospital Attack

Center Hospital Sud Francilien announced this week that it was hit with a ransomware attack that crippled many of the hospital’s systems. As a result of the outage, the hospital had to immediately transfer a number of patients in addition to rerouting incoming emergency patients to other facilities. As French authorities investigate and the hospital’s IT staff work to restore services, the hospital is being extorted by the Lockbit ransomware gang for a reported $10 million. This comes after Lockbit’s attack last month on a French telecommunications network, La Poste Mobile. Cybersecurity firm Dragos reports that Lockbit alone is responsible for 125 known industrial attacks last quarter and is currently the most prolific ransomware group.

Why This Matters

This is a clear example of the true threat of cyber attacks on one of the worst targets imaginable: a hospital. With the inability to intake emergency patients, precious minutes are lost by rerouting them elsewhere. This says nothing of the many surgical operations which were no doubt canceled due to the outage. While a few ransomware groups have been hesitant to attack hospitals, Lockbit shows no remorse here.

Additional Information:



1100% Increase in SaaS Platforms used to Host Phishing Pages

Phishing pages have never been easier to host, at least according to a recent Palo Alto report. Instead of creating phishing pages from scratch, hackers can and have been using various SaaS platforms such as form or website building tools. These often require little to no coding experience and can quickly be implemented. Many of the same services also offer hosting using their own legitimate domains, making phishing pages harder to detect. Over the past year (June 2021–June 2022), Palo Alto measured a 1100% increase in phishing URLs hosted on legitimate SaaS platforms.

Why This Matters

Lowering the barrier for entry will always result in more cybercrime. Palo Alto’s report highlights the relative ease with which even inexperienced threat actors can create and host phishing pages. The best way to combat this alarming trend is to enable phishing-resistant MFA on your accounts and never approve an MFA request unless you are sitting behind the keyboard trying to log in.

Additional Information:


This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.

 

[RELATED POST] Ransomware Targets School Districts, Phishing-as-a-Service, & Cisco Vulnerability

Ransomware Targets School Districts, Phishing-as-a-Service, & Cisco Vulnerability

Vice Society ransomware group targets education sector during back-to-school, phishing gets easier, and Cisco announces a vulnerability in routers.

[RELATED POST] Nation-States Face Ransomware Attacks & BlackByte Steals Data From 49ers

Nation-States Face Ransomware Attacks & BlackByte Steals Data From 49ers

Government agencies and nation-states face ransomware attacks and the BlackByte ransomware gang has a lasting impact on the San Francisco 49ers.