Password management provider LastPass has acknowledged that a breach of security controls last August involved hackers compromising the home computer of one of the company’s DevOps engineers to aid in a data theft.
LastPass, owned by GoTo, gave details of the first attack, which saw a threat actor exfoliate encrypted backups associated with its Central, Pro, join.me, Hamachi, and RemotelyAnywhere products that were stored on Amazon’s cloud storage. An encryption key for a portion of the encrypted backup was also stolen. SSome source code and technical information was also stolen from the company’s development environment and another employee was targeted in order to obtain credentials and keys used to access and decrypt certain storage volumes within a cloud-based storage service. was used to.
This week the company added more information He describes the entire attack as the first incident of stealing the cloud storage service and source code. There was a second incident involving a DevOps engineer as part of the same attack.
While LastPass was dealing with the first incident, which expires on August 12, 2022, the attacker motivated to go after a developer who had access to the decryption keys needed to access the cloud storage service. This attack and data theft continued till October, 2022.
“The second incident saw the threat actor quickly use information to compute and eventually exfiltrate data from cloud storage resources, prior to the reset completed by our teams during the first incident,” the report said. Did.”
“Alerts and logging were enabled during these incidents, but did not immediately indicate unusual behavior that was apparent last time during the investigation. Specifically, the threat actor was able to access a shared cloud-storage environment of a senior DevOps engineer. was able to leverage legitimate credentials stolen from , which initially made it difficult for investigators to distinguish between threat actor activity and ongoing legitimate activity. AWS GuardDuty Alerts ultimately notified us of unusual behavior because The threat actor attempted to use cloud Identity and Access Management (IAM) roles to perform unauthorized activity.
The DevOps engineer was one of four who had access to the decryption keys needed to access the cloud storage service.
The report states that the person’s home computer was compromised by exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to install keylogger malware. After the employee authenticated with multi-factor authentication, and gained access to the DevOps engineer’s LastPass corporate vault, the threat actor was able to enter the employee’s master password.
“The threat actor then exported the contents of the original corporate vault entries and shared folders,” the report said, “including access and decryption keys to access AWS S3 LastPass production backups, other cloud-based storage resources.” Encrypted secure notes included with, and some associated important database backups.”
LastPass says the investigation and incident response to the second incident is ongoing. Contains:
- Mandiant, with the aid of forensic imaging tools, to investigate corporate and individual resources and collect evidence detailing potential threat actor activity;
- Helping DevOps Engineers to harden the security of their home network and personal resources;
- Enabling Microsoft’s Conditional Access PIN-matching multifactor authentication using an upgrade to the Microsoft Authenticator application that became generally available during the event.
- Recurring critical and high-privilege credentials that were known to be available to the threat actor. The company says there is no risk to LastPass or its customers, with rotation of the remaining low-priority items continuing;
- revoking and reissuing certificates obtained by the threat actor;
- and LastPass analyzing AWS S3 cloud-based storage resources, including applying additional S3 hardening measures.