the hits keep coming — LastPass says employees home computer was hacked and corporate vault taken Already smarting from a breach that stole customer vaults, LastPass has more bad news.
Dan Goodin – Feb 28, 2023 1:01 am UTC EnlargeLeon Neal | Getty Images reader comments 148 with Share this story Share on Facebook Share on Twitter Share on Reddit
Already smarting from a breach that put partially encrypted login data into a threat actors hands, LastPass on Monday said that the same attacker hacked an employees home computer and obtained a decrypted vault available to only a handful of company developers.
Although an initial intrusion into LastPass ended on August 12, officials with the leading password manager said the threat actor was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activity from August 12 to August 26. In the process, the unknown threat actor was able to steal valid credentials from a senior DevOps engineer and access the contents of a LastPass data vault. Among other things, the vault gave access to a shared cloud-storage environment that contained the encryption keys for customer vault backups stored in Amazon S3 buckets. Another bombshell drops
This was accomplished by targeting the DevOps engineers home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware, LastPass officials wrote. The threat actor was able to capture the employees master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineers LastPass corporate vault.
The hacked DevOps engineer was one of only four LastPass employees with access to the corporate vault. Once in possession of the decrypted vault, the threat actor exported the entries, including the decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.
Further ReadingLastPass users: Your info and password vault data are now in hackers handsMondays update comes two months after LastPass issued a previous bombshell update that for the first time said that, contrary to previous assertions, the attackers had obtained customer vault data containing both encrypted and plaintext data. LastPass said then that the threat actor had also obtained a cloud storage access key and dual storage container decryption keys, allowing for the copying customer vault backup data from the encrypted storage container.
The backup data contained both unencrypted data, such as website URLs, as well as website usernames and passwords, secure notes, and form-filled data, which had an additional layer of encryption using 256-bit AES. The new details explain how the threat actor obtained the S3 encryption keys. Advertisement
Mondays update said that the tactics, techniques, and procedures used in the first incident were different from those used in the second one and that, as a result, it wasnt initially clear to investigators that the two were directly related. During the second incident, the threat actor used information obtained during the first one to enumerate and exfiltrate the data stored in the S3 buckets.
Alerting and logging was enabled during these events, but did not immediately indicate the anomalous behavior that became clearer in retrospect during the investigation, LastPass officials wrote. Specifically, the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, which initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity.
LastPass learned of the second incident from Amazon’s warnings of anomalous behavior when the threat actor tried to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.
Further ReadingPlex imposes password reset after hackers steal data for >15 million usersAccording to a person briefed on a private report from LastPass and spoke on the condition of anonymity, the media software package that was exploited on the employees home computer was Plex. Interestingly, Plex reported its own network intrusion on August 24, just 12 days after the second incident commenced. The breach allowed the threat actor to access a proprietary database and make off with password data, usernames, and emails belonging to some of its 30 million customers. Plex is a major provider of media streaming services that allow users to stream movies and audio, play games, and access their own content hosted on home or on-premises media servers.
It’s not clear if the Plex breach has any connection to the LastPass intrusions. Representatives of LastPass and Plex didnt respond to emails seeking comment for this story.
The threat actor behind the LastPass breach has proven especially resourceful, and the revelation that it successfully exploited a software vulnerability on the home computer of an employee further reinforces that view. As Ars advised in December, all LastPass users should change their master passwords and all passwords stored in their vaults. While its not clear whether the threat actor has access to either, the precautions are warranted. reader comments 148 with Share this story Share on Facebook Share on Twitter Share on Reddit Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Find him on Mastodon at: https://infosec.exchange/@dangoodin Email dan.goodin@arstechnica.com Advertisement Promoted Comments ikjadoon What I don’t understand is how any of this could grant access to actual end-user data. From what I know of their design, LastPass’s master vault passwords are split – by definition, LastPass is only supposed to have a part of that key; the other half is only known to the end user’s device(s). LastPass is never by design supposed to have the full master vault keys. Unless… they do…
?
Ditto with unencrypted vaults; those are only ever supposed to exist on end-user devices in-memory, per their own service descriptions. It’s one of their selling points. How could LastPass even have unencrypted vault copies to expose? Their own developer vaults, sure; but not end-user vaults. All a bad guy could ever manage to get, absolute worst case, would be an end-user’s encrypted vault and half of a key. Supposedly…??
I’m genuinely curious now.
There are two separate vault breaches here.
1) LastPass internally uses LastPass to keep their Amazon S3 login information. This internal LastPass Vault itself the logins to LastPass’ internal Amazon account. One LastPass dev had access to this internal dev vault and was allowed to install Plex, which had a major security vulnerability. The hackers installed a keylogger onto that developer’s PC and extracted that dev’s Master Password and MFA code to the LastPass internal vault. Thu, the LastPass internal vault was immediately decrypted. Because they stole that dev’s Master Password + MFA.
If hackers install a keylogger onto a developer’s system, then hackers can steal passwords and immediately decrypt any of that user’s vaults. That LastPass dev had nobody else’s Master Password.
2) Well, that dev’s vault was damn valuable. Because now the hackers used that developer’s now-decrypted Amazon S3 login and extracted 30 million encrypted consumer vaults stored on Amazon S3 (because LastPass backed up encrypted consumer vaults to Amazon S3). This is all the consumer data.
TL;DR: the hackers keylogged the Master Password of a LastPass employee, not of any consumers. So that LastPass employee’s vault was immediately decrypted. Essentially, the LastPass dev accidentally gave away access to his entire PC & work credentials.
//
Encrypted LastPass vaults aren’t safe by default, however. If your vault had low iteration counts (e.g., 1 or 500) and a short, non-machine-generated Master Password plus stored juicy things the hackers might want (crypto logins, bank logins), then your vault is more likely a higher priority to be guessed / brute-forced.
A helpful note: some people keep saying "But the accounts had AES-256! Nobody can crack that!" Imagine your LastPass Vault has 100-feet steel walls (that’s AES-256) and a locked door (that’s the Master Password).
The hackers will not try to drill through the massive walls; they will try billions or even trillions of keys on the door. February 28, 2023 at 4:38 am Channel Ars Technica ← Previous story Related Stories Today on Ars