Ride the Lightning

LassPass Breach: Hackers Put Malware on Engineer’s Home Computer

March 1, 2023

ZDNET reported on February 28^th that the LastPass data breach was a result of hackers stealing a master password that they then used to access highly restricted corporate databases and information. How did they get that password? They targeted a senior engineer’s home computer.

LastPass revealed that it had been hacked in August last year when it said attackers had accessed the development environment, taking portions of LastPass source code and some proprietary technical information.

LastPass initially said there was no evidence that the attackers gained access to customer data or sensitive encrypted vaults.

This changed last December, when LastPass revealed hackers had stolen vault data containing both encrypted and unencrypted data — including information about customers.

The company now says attackers used information stolen during the first attack — along with information stolen in other breaches and the exploitation of a cybersecurity vulnerability — to enable a second attack.

That attack targeted one of only four senior DevOps engineers who had the required high-level security authentication necessary to use the decryption keys required to access the cloud storage service — and the attackers did so by targeting their home computer.

Now there’s an old familiar song . . .

The exact details of how the attack happened haven’t been disclosed, but LastPass said the DevOps engineer’s home computer was targeted by attackers exploiting what’s described as “a vulnerable third-party media software package”, which let the attackers gain the privileges required for remote code execution.

This allowed attackers to install keylogger malware on the home computer, and permitted them to monitor the employee’s keystrokes. They exploited this information to steal the master password to gain access to the corporate vault.

According to LastPass, this access allowed the attackers to enter various shared instances, “which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”

Following the incident, LastPass says it “assisted the DevOps Engineer with hardening the security of their home network and personal resources.”

I would certainly hope so!

LastPass has upgraded its multi-factor authentication (MFA) by applying Microsoft’s conditional access PIN-matching MFA, and the company is now rotating critical and high-privilege passwords that were known to the attackers, to reduce the chance of an additional breach.

The company is also examining how the breach has potentially affected customers. “There are several additional workstreams underway to help secure our customers, which may require them to perform specific actions,” LastPass said.

The company recommends that LastPass business administration users and other LastPass customers change their master password. This password should not be used to secure any other accounts.

It also recommends that MFA be applied to the account to reduce the chances of it being accessed.

Too little, too late, but perhaps all they can do. The reputation of LassPass is in tatters.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson