Contents:
As a result of another attack on LastPass’s systems, the company disclosed a severe data breach in December 2022 that allowed threat actors to access encrypted password vaults.
DevOps engineers’ home computers were breached and infected with a keylogger as part of a sustained cyber attack that exfiltrated sensitive data from Amazon AWS’s cloud storage servers.
The password management service states that the threat actor used stolen information from the first incident, information obtained from a third-party data breach, and a vulnerability in a third-party media package to launch a coordinated second attack.
It targeted the company’s infrastructure, resources, and an employee from August 12, 2022, to October 26, 2022. The first incident ended on August 12, 2022.
LastPass revealed in December 2022 that the threat actor used the stolen information to access a cloud-based storage environment and obtain certain elements of their customers’ data.
In the same month, it was disclosed that an unknown attacker had accessed a backup of customer vault data encrypted with 256-bit AES. However, the exact date of the backup was not revealed.
LastPass’ parent company, GoTo, also disclosed unauthorized access to the third-party cloud storage service last month.
According to the company, the threat actor engaged in a series of “reconnaissance, enumeration, and exfiltration activities” between August and October 2022.
Specifically, the threat actor was able to access a shared cloud storage environment using credentials stolen from a senior DevOps engineer.
The malicious actor thus gained access to the AWS S3 buckets containing backups of LastPass customer data and encrypted vault data.
According to the report, passwords were siphoned from the employee’s home computer using a vulnerable third-party media software package to achieve remote code execution and install a keylogger.
After authenticating with MFA, the threat actor captured the employee’s master password, gaining access to the DevOps engineer’s LastPass corporate vault.
Because Plex suffered a breach of its own in late August 2022, it seems likely that LastPass may have used third-party media software.
After the incident, LastPass said it improved its security posture by rotating necessary and high-privilege credentials, reissuing certificates obtained by the threat actor, and hardening S3 to put logging and alerting in place.
It is highly recommended that LastPass users update their passwords to mitigate potential risks.
Latest Update
Following the publication of the story, Plex shared the following statement:
We take security issues very seriously and often collaborate with external parties to address potential concerns of any size using our bug bounty program. Always with speed and efficiency, we have never had a critical vulnerability made publicly known before having released a patched version. Whenever we experience incidents ourselves, we promptly inform the public as well. At this time, we are not aware of any unpatched vulnerabilities. We invite anyone who wants to report any problem they encounter in compliance with our guidelines found above. Given recent news regarding the LastPass incident, we have contacted them to double-check, though we are unaware of any unpatched vulnerabilities.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.
Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company's social media channels. Her contributions amplify the brand's voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.
