Password management provider LastPass has admitted that part of last August’s breach of security controls included hackers compromising the home computer of one of the company’s DevOps engineers to help in data theft.
LastPass, which is owned by GoTo, had previously detailed the attack, which saw a threat actor exfiltrating encrypted backups involving its Central, Pro, join.me, Hamachi, and RemotelyAnywhere products that were stored on Amazon’s cloud storage. Also stolen was an encryption key for a portion of the encrypted backups. Some source code and technical information were also stolen from the company’s development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.
This week the company added more information describing the entire attack. The theft from the cloud storage service and source code is what it calls the first incident. There was a second incident involving the DevOps engineer as part of the same attack.
While LastPass was dealing with the first incident, which ended on August 12, 2022, the attacker pivoted to go after a developer who had access to the decryption keys needed to access the cloud storage service. This attack and data theft went on until October, 2022.
“The second incident saw the threat actor quickly make use of information exfiltrated during the first incident, prior to the reset completed by our teams, to enumerate and ultimately exfiltrate data from the cloud storage resources,” the report says.
“Alerting and logging was enabled during these events, but did not immediately indicate the anomalous behavior that became clearer in retrospect during the investigation. Specifically, the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, which initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity. Ultimately AWS GuardDuty Alerts informed us of anomalous behavior as the threat actor attempted to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.”
The DevOps engineer was one of four who had access to the decryption keys needed to access the cloud storage service.
That person’s home computer was compromised by exploiting a vulnerable third-party media software package, the report says, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with multi-factor authentication, and gain access to the DevOps engineer’s LastPass corporate vault.
“The threat actor then exported the native corporate vault entries and content of shared folders, the report says, “which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”
LastPass says its investigation and incident response to the second incident continues. It includes:
- with the assistance of Mandiant, forensically imaging devices to investigate corporate and personal resources and gather evidence detailing potential threat actor activity;
- assisting the DevOps engineer with hardening the security of their home network and personal resources;
- enabling Microsoft’s conditional access PIN-matching multifactor authentication using an upgrade to the Microsoft Authenticator application which became generally available during the incident.
- rotating critical and high-privilege credentials that were known to be available to the threat actor. Rotation continues of the remaining lower priority items that the company says poses no risk to LastPass or its customers;
- revoking and re-issuing certificates obtained by the threat actor;
- and analyzing LastPass AWS S3 cloud-based storage resources, including applying additional S3 hardening measures.