LastPass revealed extra data on a “coordinated second assault,” the place a menace actor accessed and stole information from the Amazon AWS cloud storage servers for over two months.
LastPass disclosed a breach in December the place menace actors stole partially encrypted password vault information and buyer data.
The firm has now disclosed how the menace actors carried out this assault, stating that they used data stolen in an August breach, data from one other information breach, and a distant code execution vulnerability to put in a keylogger on a senior DevOps engineer’s pc.
LastPass says this second coordinated assault used the stolen information from the primary breach to realize entry to the corporate’s encrypted Amazon S3 buckets.
As solely 4 LastPass DevOps engineers had entry to those decryption keys, the menace actor focused one of many engineers. Ultimately, the hackers efficiently put in a keylogger on the worker’s system by exploiting a distant code execution vulnerability in a third-party media software program bundle.
“The menace actor was capable of seize the worker’s grasp password because it was entered, after the worker authenticated with MFA, and acquire entry to the DevOps engineer’s LastPass company vault,” reads a new safety advisory revealed immediately.
“The menace actor then exported the native company vault entries and content material of shared folders, which contained encrypted safe notes with entry and decryption keys wanted to entry the AWS S3 LastPass manufacturing backups, different cloud-based storage sources, and a few associated vital database backups.”
The use of legitimate credentials made it troublesome for the corporate’s investigators to detect the menace actor’s exercise, permitting the hacker to entry and steal information from LastPass’ cloud storage servers for over two months, between August 12, 2022, to October 26, 2022.
LastPass in the end detected the anomalous conduct by way of AWS GuardDuty Alerts when the menace actor tried to make use of Cloud Identity and Access Management (IAM) roles to carry out unauthorized exercise.
The firm says they’ve since up to date their safety posture, together with rotating delicate credentials and authentication keys/tokens, revoking certificates, including extra logging and alerting, and implementing stricter safety insurance policies.
A considerable amount of information was accessed
As a part of immediately’s disclosure, LastPass has launched extra detailed data on what buyer data was stolen within the assault.
Depending on the actual buyer, this information is vast and various, starting from Multifactor Authentication (MFA) seeds, MFA API integration secrets and techniques, and to Split information element (“K2”) Key for Federated enterprise clients.
An entire listing of stolen information is beneath, with a extra detailed and easier-to-read chart on a assist web page.
Summary of knowledge accessed in Incident 1:
On-demand, cloud-based improvement and supply code repositories – this included 14 of 200 software program repositories.
Internal scripts from the repositories – these contained LastPass secrets and techniques and certificates.
- Internal documentation – technical data that described how the event setting operated.
Summary of knowledge accessed in Incident 2:
DevOps Secrets – restricted secrets and techniques that had been used to realize entry to our cloud-based backup storage.
Cloud-based backup storage – contained configuration information, API secrets and techniques, third-party integration secrets and techniques, buyer metadata, and backups of all buyer vault information. All delicate buyer vault information, aside from URLs, file paths to put in LastPass Windows or macOS software program, and sure use circumstances involving e mail addresses, had been encrypted utilizing our Zero information mannequin and might solely be decrypted with a novel encryption key derived from every consumer’s grasp password. As a reminder, finish consumer grasp passwords are by no means identified to LastPass and aren’t saved or maintained by LastPass – subsequently, they weren’t included within the exfiltrated information.
Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, phone numbers used for the MFA backup possibility (if enabled), in addition to a break up information element (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, however the separately-stored decryption key was included within the secrets and techniques stolen by the menace actor in the course of the second incident.
All of immediately’s assist bulletins aren’t simple to seek out, with none of them listed in serps, as the corporate added <meta identify="robots" content material="noindex"> HTML tags to the doc to stop them from being listed by serps.
LastPass launched a PDF titled “Security Incident Update and Recommended Actions,” which accommodates additional details about the breach and the stolen information.
The firm additionally created assist paperwork containing beneficial actions that must be taken for Free, Premium, and Families clients and LastPass Business Administrators.
These bulletins comprise beneficial steps to harden your LastPass account and integration additional.
Update 2/28/22: Added extra hyperlinks to sources.