LastPass is, once again, telling customers about a security incident related to the August 2022 breach of its development environment and subsequent unauthorized access to the company’s third-party cloud storage service that hosted backups: “The threat actor leveraged information stolen during the first incident, information available from a third-party data breach, and a vulnerability in a third-party media software package to launch a coordinated second attack.”
The results of both breaches are catastrophic and the list of data and secrets stolen/compromise as a result is extensive.
Getting into the LastPass corporate vault
The second incident went initially unnoticed, LastPass says, the tactics, techniques, and procedures (TTPs) and the indicators of compromise (IOCs) of the second incident “were not consistent with those of the first.” It was only later determined that the two incidents were related.
“The second incident saw the threat actor quickly make use of information exfiltrated during the first incident, prior to the reset completed by our teams, to enumerate and ultimately exfiltrate data from the cloud storage resources,” the company explained.
How did the attacker do it? As it turns out, they stole access credentials from a senior DevOps engineer by:
- Targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package (Plesk, according to an Ars Technica source) to be able to remotely execute code remote code
- Using that capability to implant a keylogger, which captured the employee’s master password (after the employee authenticated with MFA)
- Gaining access to the engineer’s LastPass corporate vault
“The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups,” LastPass added.
The company says that they still don’t know the identity of the attacker and their motivation: “There has been no contact or demands made, and there has been no detected credible underground activity indicating that the threat actor is actively engaged in marketing or selling any information obtained during either incident.”
Of course, it’s possible that the company was just a stepping stone to another target – the interconnectedness of services and companies has reached such levels that third-party supply chain compromises have become practically ordinary.
What should LastPass customers do now?
It would be interesting to know how the threat actor pinpointed which DevOps engineer to target and ultimately managed to “hop” on their computer, but this kind of “personal” approach is not unheard of (and could be more frequent than it’s publicly known).
LastPass has yet to publish an official post about this incident – we only know all this now because the company began notifying its business customers on the quiet and the information was leaked.
A copy of the notification is available here, and points both Business and Teams customers and LastPass Free, Premium, and Families Customers to recommended best practices and actions that they should take to protect themselves and their organization from the possible fallout of this breach.