Jason Soroko of Sectigo called it a “textbook identity attack.” “By turning a trusted password safe into a credential harvesting mechanism, the adversary harvested domain admin passwords, vSphere root keys and service-account secrets that function as the organization’s digital identities,” he said. “Those stolen identities negated perimeter controls, neutralized Veeam backups and enabled hypervisor-level ransomware deployment.”
The attack wasn’t just about malware. As Rom Carmel, co-founder and CEO at Apono, noted, “It hinged on identity and credential compromise.”
“By trojanizing KeePass, attackers gained access to a trove of stored credentials, including admin accounts, service accounts, and API keys, giving them the ability to move laterally and escalate privileges,” Carmel said. “The lesson learned: this breach highlights how unmanaged credentials and overprivileged identities, both human and non-human, are prime targets and key enablers in modern ransomware campaigns.”
Open source: the double-edged sword
This campaign also highlights the risks of trusting open-source software–or more precisely, the wrong source of it. KeePass itself wasn’t the problem, the ecosystem around it was. “This case touches on open-source usage and our trust in false advertizing,” Cipot added.
