LastPass attack saw employee’s home computer hacked

The risk actor behind a sequence of compromises of credential administration specialist LastPass attacked a DevOps engineer’s home computer to achieve entry to the organisation’s decryption keys, it has emerged.

The first attack came about in August 2022, and saw LastPass praised for its swift response to the incident, which saw the attacker entry some supply code and proprietary technical data.

They then used the data obtained at that time – previous to a reset accomplished by LastPass – to enumerate and exfiltrate information from cloud storage sources, in a second, deeper and longer-lasting intrusion, disclosed in December 2022, that saw them entry buyer information.

Compromised buyer information included account data akin to firm and consumer names, billing addresses, e mail addresses, phone numbers and IP addresses from the place they accessed LastPass.

The cyber criminals additionally accessed a backup of buyer vault information together with encrypted fields, however as these are encrypted with 256-bit AES encryption and might solely be decrypted utilizing a key derived from the consumer’s grasp password, which isn’t identified by LastPass, this could be very tough to attain so long as the consumer was following really useful greatest apply.

Initially, LastPass revealed solely that the attacker focused a developer’s endpoint, however the investigation has now turned up extra particulars.

“Due to the security controls protecting and securing the on-premise datacentre installations of LastPass production, the threat actor targeted one of the four DevOps engineers who had access to the decryption keys needed to access the cloud storage service,” LastPass revealed in a brand new replace.

“This was achieved by concentrating on the DevOps engineer’s home computer and exploiting a weak third-party media software program bundle, which enabled distant code execution [RCE] functionality and allowed the risk actor to implant keylogger malware. The risk actor was in a position to seize the employee’s grasp password because it was entered, after the worker authenticated with MFA, and achieve entry to the DevOps engineer’s LastPass company vault.

“The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources and some related critical database backups,” the organisation stated.

It added that the engineer in query has been receiving assist in hardening their home community and tools.

LastPass stated that as a result of differing techniques, methods and procedures (TTPs) used within the attack chain, it had not been instantly apparent that what appeared at first to be two completely different incidents had been in actual fact linked.

Additionally, it added, alerting and logging had been enabled all through the occasions however didn’t instantly point out the anomalous behaviour that later turned extra apparent. The proven fact that the unfortunate engineer’s legitimate credentials had been getting used to entry a shared cloud storage setting made it more durable to distinguish between legit and illegitimate exercise.

Ultimately, LastPass stated, it had AWS to thank – it was the provider’s GuardDuty Alerts that flagged anomalous behaviour because the attacker tried to make use of cloud identification and entry administration roles to carry out unauthorised exercise.

Since the attack, LastPass has taken various steps to harden its personal cyber safety, together with rotating important and high-privilege credentials, revoking and reissuing the compromised certificates, and making use of extra hardening measures to its AWS S3 sources.

Given the obvious failings in its capability to reply swiftly to alerts, it has additionally revised its risk detection and response protection, and on-boarded new automated and managed companies to help with this, together with customized analytics to detect potential abuse of AWS sources.

Read extra on Data breach incident administration and restoration

• LastPass breach tied to hack of engineer’s home computer

  

  By: Alexander Culafi

• Data of 10 million JD Sports prospects accessed in cyber attack

  

  By: Alex Scroxton

• Customer information, encryption key stolen in GoTo breach

  

  By: Alexander Culafi

• Experts applaud growth of Apple’s E2E encryption

  

  By: Arielle Waldman