On the 28th of February, the password manager maker LastPass revealed that the massive data breach it encountered last November involved the compromise of a DevOps engineer’s home computer.
The breach was the result of one of the engineer’s forgetting to upgrade Plex on their home computer, which put a decrypted vault available to only a handful of developers into a hacker’s hands. The vault allowed the threat actor to hold sway over a shared cloud-storage environment among others and ultimately, exfiltrate Amazon S3 vault backup encryption keys, reported The Hacker News.
Breaking Down the Breach at LastPass
Before this massive hacking at LastPass, the company experienced a security incident disclosed last August. In this incident, an unauthorised third-party exploited a developer’s compromised account to steal source code and “proprietary LastPass technical information”.
On 22nd December, the password manager service detailed that the threat actor infiltrated the company’s system during the second incident by exploiting data stolen from the first incident. The backup of partially encrypted user vault information that the hacker managed to copy included passwords, website URLs, and usernames.
“The second incident saw the threat actor quickly make use of information exfiltrated during the first incident, prior to the reset completed by our teams, to enumerate and ultimately exfiltrate data from the cloud storage resources,” LastPass said.
Now, in Monday’s update, the company said that even though the first incident ended on 12th August, the hacker “was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activity” up to 26th October.
According to the company, during this time, the hacker managed to execute the second attack.
This second intrusion particularly singled out one of the four senior DevOps engineers with access to the corporate data vault executing a keystroke logger malware on their computer. The target was to steal the master password as it was entered by the hacked engineer to access the corporate vault.
The threat actor exploited a three-year-old, now-patched security vulnerability on Plex Media Server software to gain code execution on the engineer’s computer.
“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” explained LastPass officials. “The threat actor was able to capture the employee’s master password as it was entered after the employee authenticated with MFA and gained access to the DevOps engineer’s LastPass corporate vault.”
Tracked as CVE-2020-5741 (CVSS score: 7.2), the vulnerability was patched by Plex in version 18.104.22.16864 released in May 2020.
“Unfortunately, the LastPass employee never upgraded their software to activate the patch,” Plex said in a statement. “For reference, the version that addressed this exploit was roughly 75 versions ago.”
In Monday’s update, the password manager company said that the tactics, techniques, and procedures (TTPs) used to execute the first breach were different from those used in the second one, making it tough for the investigators to correlate these two incidents.
Educating Employees on Cyber Behavior Can Help Dodge Breaches
Ensuring employees have access to essential tools and providing them with training on cyber behaviour is critical to minimising the risk of cyber threats.
For organisations looking to develop a security culture improvement program to ensure no cybercriminal can hold sway over sensitive business information, leveraging a human risk management solution such as CultureAI is a sensible decision.
LastPass detailed the steps it has taken as part of the company’s effort to investigate and respond to the security incident. The company also suggested its customers reset their passwords as an additional security measure.