New LastPass breach post-mortem raises questions
Attackers targeted DevOps engineers' home devices...
Threat actors breached a LastPass engineer’s home computer and used a keylogger to steal his “master password” -- after tailgating him into protected corporate resources when he logged in by MFA-protected VPN.
The incident came as the hackers escalated an earlier breach that had seen them gain initial access to LastPass’s AWS resources, but not the decryption keys that they needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.
The incident shows the persistence and ingenuity of determined attackers, who – having apparently identified that just four engineers had access to the decryption keys and targeted one – exploited “a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware” on the DevOps engineers home machine LastPass said this week.
“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”
LastPass data breach: Firm "hardening security" of engineer's home network
LastPass does not explicitly say whether the threat vector was an unpatched and unmanaged BYOD device (if so, it has serious questions to ask) or the “vulnerable third-party media software package”; whilst this could have been an unpatched Adobe product, for example, access could also conceivably have come via an unpatched router; The Stack is requesting further details from LastPass – which says it has since “assisted the DevOps Engineer with hardening the security of their home network and personal resources.”
The breach ultimately exposed encrypted password vaults (“the crown jewels of any password manager” as Wired puts it) along with other user data and the hackers would have subsequently been able to take their time offline working on cracking target passwords, which with sufficient levels of compute is often simple.
One security researcher, Greg Linares, said: “There's at least one other ATP group that specializes in these attack vectors even going as far as launching hybrid cybersecurity attacks ie physical proximity + RF/wifi/bluetooth based attacks with leave behind devices. Attack patterns have been leave behind devices to mitm or brute force wifi security (WPA2 and WPA3 attacks) and even a few MAC address bruting forcing. This is followed up with attacks against network devices: Asus, Netgear, Linksys, TP-Link, eero usually to hijack DNS.”
He added: “[I’ve seen attackers] not going after machines most of the time but home users’ outdated routers.”
How the LastPass data breach started: Nobody knows…
The initial threat vector that ultimately led to the attackers targeting the DevOps engineer remains unclear.
As mentioned above there were two discrete breaches of which this home-targeting incident was the second.
The first LastPass data breach, as detailed in a separate incident report by LastPass here, came after its security team on August 12, 2022, “was alerted to suspicious activity in a cloud-based development environment used for on-demand and pre-production development, integration, testing, and validation” and identified that the attackers had “accessed technical documentation and LastPass source code to exfiltrate 14 of approximately 200 source code repositories of various components of the LastPass service [which]... included cleartext embedded credentials, stored digital certificates related to our development environments, and some encrypted credentials used for production capabilities such as backup. These encrypted credentials require a separate decryption key…” (It was at this point that they pivoted to go after someone who had that decryption key.)
Yet whilst the LastPass post-mortem shows that again, with this initial incident, the attackers tailgated into systems using another software engineer’s domain credentials and MFA – but how they got initial access to the engineer’s work machine remains unclear. As LastPass notes: “Due to anti-forensic activity performed by the threat actor, as well as a scheduled operating system upgrade during the incident timeframe, which overwrote logs and system artifacts, the initial threat vector that the threat actor used to gain access to the software engineer’s machine is not known at this time. The laptop was configured with a standard corporate build of development applications, utilities, and security controls. These included an Endpoint Detection Response (EDR) agent, which was tampered with and was not triggered during the initial activity…”
The incident spanned August 12, 2022 to October 26, 2022. LastPass has detailed the efforts it has made to tighten up IAM access and improve AWS environment visibility in the two posts linked to above.