@LastPass announced to their customers on August 25th that an unknown actor had accessed one of their cloud-based development environments and stole source code, technical information, and certain LastPass internal secrets. The attacker did that by compromising a software engineer’s laptop and impersonating the developer once he had successfully authenticated using multifactor authentication.
The LastPass investigation determined that the threat actor couldn’t access customer data or encrypted password vaults, and the incident was closed.
@LastPass reported a second incident on December 22nd, indicating that the threat actor had used the information stolen in the first incident to target another employee. By doing this, they accessed a third-party cloud storage service shared between LastPass and GoTo. There they stole customer account information and a backup of customers' data vaults containing non-encrypted and sensitive encrypted fields.
At that time, LastPass issued a note to their customers with recommendations on protecting their master passwords and preventing phishing attacks.
This week, we learned from @Helpnetsecurity, @arstecnica, and LastPass Support Bulletins that the customer data stolen in the second incident includes, among other data, encrypted customer Vault data, K2 keys used for LastPass federation and phone numbers for second-factor authentication via SMS. (See in the references what information has been accessed) 👇
In the second attack, they used the stolen information from the first incident to target a DevOps engineer’s home computer.
There they exploited a vulnerability in Plex Media Software which allowed them to implant keylogger malware through which they could capture the employee’s master password as it was entered after the employee authenticated with MFA.
With this, they gained access to the engineer’s LastPass corporate Vault. This engineer was one of the only 4 LastPass employees with access to the corporate Vault.
The importance of employee awareness
The importance of password hygiene.
Your enterprise perimeter starts wherever your employees work.
If you allow your employees to work from their home PCs, you need to ensure they have the same level of protection as the corporate ones.
If you can’t control the security of your employee’s home PCs, it is better to provide employees with a PC platformed and protected by corporate’s security profiles and tools,
The importance of the supply chain
Whatever policy or tools you use to manage passwords, always add additional authentication factors.
A tactic is to replace some characters of your stored passwords with others you only know, so if somebody steals them from your Vault, they won’t work.
The token of a valid user session, even using MFA, can be stolen if the user’s PC has malware controlled by an attacker.
Analysis of abnormal insider activity is key to detecting the impersonation of privileged users' accounts.
The attacker has not claimed any ransom so far. It is hard to believe they have taken such much effort and sophisticated work for nothing.
Possibly this won’t be the final chapter of this story. What do you think might be the attacker's end goal and next steps?
What information has been stolen: https://support.lastpass.com/help/what-data-was-accessed
Article by @Helpnet security: https://www.helpnetsecurity.com/2023/02/28/lastpass-breach-corporate-vault/
@LastPass notice of recent security Incident (December 22nd): https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
@LastPass Incident 2 - Additional details of the attack: https://support.lastpass.com/help/incident-2-additional-details-of-the-attack
@LastPass Security Bulletin: Recommended Actions for Free, Premium, and Families Customers: https://support.lastpass.com/help/security-bulletin-recommended-actions-for-free-premium-and-families-customers
@LastPass Security Bulletin: Recommended Actions for LastPass Business Administrators: https://support.lastpass.com/help/security-bulletin-recommended-actions-for-business-administrators