LastPass Reveals more details on the breach
March 2nd, 2023 - Written By CyberLabs
Threat actors obtained user information and partially encrypted password vault data, according to a compromise that LastPass announced in December. The organization has now revealed how the threat actors carried out this attack, claiming that they did so by using a senior DevOps engineer’s PC to install a keylogger using information obtained from two data breaches—one from August and one from a different month. In order to undertake a coordinated attack, the hacker combined information obtained from an August breach with information obtained from a third party data breach and a weakness in third-party media software.
LastPass has published a advisory saying that “Our investigation has revealed that the threat actor pivoted from the first incident, which ended on Aug 12, 2022, but was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment spanning from Aug 12 to Oct 26, 2022. The second incident saw the threat actor quickly make use of information exfiltrated during the first incident, prior to the reset completed by our teams, to enumerate and ultimately exfiltrate data from the cloud storage resources,”
A DevOps engineer’s home computer was targeted in order to get around security mitigations, according to forensics performed by LastPass in collaboration with incident response specialists at Mandiant. The attackers infected the employee’s PC with keylogger malware by taking advantage of a remote code execution vulnerability in a third-party software package.
“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault. The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups,”
In August 2022, LastPass first alerted about the hack and said that some of their source code had been taken. The organization claimed the incident occurred in January 2023 and involved the loss of account usernames, salted passwords, and hashed passwords.
If not previously done, LastPass users are strongly advised to update both their master password and every password kept in their vaults to reduce any potential risks.
Source
https://support.lastpass.com/help/incident-2-additional-details-of-the-attack
