LastPass suffered a cyber attack last year that resulted in a breach, allowing the threat actor to get a hold of sensitive customer data including passwords. It's only now that the company discovered that it could be traced back to a DevOps engineer's home computer.
Attack through the Engineer's Computer
Even though the hacker stole LastPass credentials, the information was still encrypted and they weren't able to acquire the decryption keys in the first attack. There are two locations in which it can be retrieved.
One of the two options was a highly restricted set of folders located in a LastPass password manager vault. These are only used by DevOps engineers who had access to decryption keys in order to perform administrative duties.
It was difficult to access LastPass' cloud-based storage resources since the S3 buckets are protected by AWS S3-SSE encryption, AWS S3-KMS encryption, or AWS S3-SSE-C encryption. AWS Access Keys and the LastPass-generated decryption keys are needed.
To acquire the needed key, the hacker targeted one of the DevOps engineer's home computer by exploiting a vulnerability found in the Plex media platform, according to 9To5Mac. Plex was also targeted in a cyber attack resulting in 15 million customer passwords stolen.
After stealing the decryption key, remote code execution capability was enabled and the hacker managed to implant keylogger malware. They acquired the master password after the employee authenticated with MFA, accessing the engineer's corporate vault, according to LastPass.
Upon gaining access, the attacker exported the native corporate vault entries and content of shared folders, holding encrypted secure notes with access, as well as decryption keys for AWS S3 LastPass production backups, other cloud-based storage resources, and more.
How LastPass is Resolving It
The company has forensically imaged devices to investigate both corporate and personal resources, as well as gather information on potential malicious activities. This includes strengthening the security of the targeted DevOps engineer's network.
LastPass also enabled Microsoft's conditional access PIN-matching multifactor authentication by upgrading to the Microsoft Authenticator application. They have also revoked and re-issued certificated that were stolen by the attacker.
The company has also revised its round-the-clock threat detection and response coverage, with additional managed and automated services. In addition to that, LastPass developed custom analytics to detect malicious activities regarding its AWS resources.
Read Also: LastPass Suffers New Breach, Customer Data Gets Exposed
Prior to the Successful Entry
The hackers managed to get enough information from the first incident, as well as information from a third party to coordinate a second attack. The company's investigation saw that the two incidents were related, even though it was not deduced as such at the beginning.
The threat actor continued to actively engage in "reconnaissance, enumeration, and exfiltration activities" after resolving the first attack on August 12th, 2022. Continuing to do so until October 26th, 2022. Since they used valid credentials, it was hard to determine whether it was a threat.
Eventually, the company was informed of the unusual activity by the AWS GuardDuty Alerts, saying that the hacker attempted to use Cloud Identity and Access management roles in performing the malicious activities.
Related: Hackers Breached LastPass Cloud Storage, Customer Vault Data Stolen
