LastPass reveals exactly how it was hacked
>
LastPass shared more details about the December data breach that shocked the industry, with the attack sounding like it came straight out of a spy movie.
In a safety advice (opens in new tab), the password manager said two incidents, seemingly unrelated, were actually part of a larger campaign. It also said that the threat actors specifically targeted one of the four DevOps engineers, further highlighting the sophistication of the entire campaign.
The LastPass investigation concluded that there were two incidents: one that was noticed in August 2022 and one that was noticed in December.
Access to S3 buckets
The threat actors used the information obtained in the initial attack, as well as information from an entirely separate cybersecurity incident, to identify the company’s encrypted Amazon S3 cloud storage buckets.
But to access the buckets, they needed decryption keys, which only four LastPass DevOps engineers had. So they targeted one of them, looking for a remote code execution vulnerability found in a third-party media software package installed on their private computer. This allowed them to install a keylogger that helped bypass security measures, and then some.
“The threat actor was able to capture the employee’s master password as entered, after the employee authenticated with MFA, and access the DevOps engineer’s LastPass corporate vault,” the company explained.
The threat actor then exported the original company vault entries and contents of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups. ups.”
Because the attackers used valid credentials, the company’s cybersecurity team did not identify the activity as malicious. Consequently, the threat actor lurked on the company’s storage servers for two months.
Now, post-festum, LastPass said it updated its security posture and started rotating sensitive credentials and authentication keys and tokens. In addition, it regularly revokes certificates, requires additional logging and warnings, and begins to enforce stricter security policies.
Through: Beeping computer (opens in new tab)