28 Feb LastPass Reveals A Second Attack That Resulted In The Compromise Of Encrypted Password Vaults

LastPass, which announced a catastrophic data breach in December 2022 that allowed threat actors to access encrypted password vaults, stated that it occurred as a result of the same adversary mounting a second attack on its systems.

One of the business’s DevOps engineers’ personal home computer was compromised and infected with a keylogger as part of a prolonged cyber assault that exfiltrated confidential data from its Amazon AWS cloud storage servers, according to the company.

“To undertake a coordinated second assault, the threat actor exploited information taken during the first incident, information accessible from a third-party data breach, and a vulnerability in a third-party media software package,” the password management service claimed.

From August 12, 2022 through October 26, 2022, this infiltration targeted the company’s infrastructure, resources, and one of its workers. On the other side, the initial incident concluded on August 12, 2022.

During the August intrusion, intruders gained access to source code and sensitive technical knowledge from the development environment via a single compromised employee account.

LastPass disclosed in December 2022 that the threat actor used the stolen information to get access to a cloud-based storage environment and obtain “some parts of our users’ information.”

During that month, the anonymous attacker was revealed to have gotten access to a backup of client vault data secured by 256-bit AES encryption. It did not specify when the backup was made.

GoTo, LastPass’ parent firm, also admitted to a compromise last month caused by illegal access to the third-party cloud storage provider.

The threat actor is now engaging in a fresh wave of “reconnaissance, enumeration, and exfiltration activities” directed against the firm’s cloud storage service between August and October 2022, according to the company.

“Specifically, the threat actor was able to access a shared cloud storage environment using genuine credentials obtained from a senior DevOps engineer,” LastPass claimed, adding that the engineer “had access to the decryption keys required to access the cloud storage service.”

According to the report, this allowed the malicious actor to get access to the AWS S3 buckets that stored backups of LastPass client and encrypted vault data.

The employee’s passwords were allegedly stolen via targeting the individual’s home computer and used a “vulnerable third-party media software package” to accomplish remote code execution and install keylogger software.

“After authenticating using MFA, the threat actor was able to record the employee’s master password as it was input and get access to the DevOps engineer’s LastPass corporate vault,” LastPass claimed.

LastPass did not identify the identity of the third-party media program utilized, but based on the fact that it had a breach of its own in late August 2022, it might be Plex.

After the incident, LastPass stated that it improved its security posture by rotating critical and high privilege credentials and reissuing certificates acquired by the threat actor, as well as implementing additional S3 hardening steps to provide logging and alerting systems.

Outcome

LastPass customers are strongly advised to update their master passwords as well as all passwords saved in their vaults to avoid possible dangers, if they have not already done so.