LastPass has shared more details about the December data breach that shook the industry, with the attack sounding like it came straight out of a spy movie.
In a security advisory (opens in new tab), the password manager said two incidents, seemingly unrelated, which were actually part of a larger campaign. It also said that the threat actors specifically targeted one of four DevOps engineers, further highlighting the sophistication of the entire campaign.
The LastPass investigation concluded that there were two incidents – one that was spotted in August 2022, and one that was spotted in December.
Accessing S3 buckets
The threat actors used the information obtained in the first attack, as well as information from an entirely separate cybersecurity incident, to identify the company’s encrypted cloud storage Amazon S3 buckets.
But to access the buckets, they needed decryption keys, which only four LastPass DevOps engineers possessed. So, they targeted one of them, going after a remote code execution vulnerability found in a third-party media software package installed on their private computer. This allowed them to install a keylogger which helped bypass security protections, and then some.
“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault,” the company explained.
“The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”
As the attackers were using valid login information, the company’s cybersecurity team did not identify the activity as malicious. Consequently, the threat actor was lurking in the company’s storage servers for two months.
Now, post-festum, LastPass said it updated its security posture, and started rotating sensitive credentials and authentication keys and tokens. Furthermore, it regularly revokes certificates, requires extra logging and alerting, and started enforcing tougher security policies.
Via: BleepingComputer (opens in new tab)