Already smarting from a breach that put partially encrypted login data into a threat actor’s hands, LastPass on Monday said that the same attacker hacked an employee’s home computer and obtained a decrypted vault available to only a handful of company developers.
Although an initial intrusion into LastPass ended on August 12, officials with the leading password manager said the threat actor “was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activity” from August 12 to August 26. In the process, the unknown threat actor was able to steal valid credentials from a senior DevOps engineer and access the contents of a LastPass data vault. Among other things, the vault gave access to a shared cloud-storage environment that contained the encryption keys for customer vault backups stored in Amazon S3 buckets.
Another bombshell drops
“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass officials wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”
The hacked DevOps engineer was one of only four LastPass employees with access to the corporate vault. Once in possession of the decrypted vault, the threat actor exported the entries, including the “decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”
Monday’s update comes two months after LastPass issued a previous bombshell update that for the first time said that, contrary to previous assertions, the attackers had obtained customer vault data containing both encrypted and plaintext data. LastPass said then that the threat actor had also obtained a cloud storage access key and dual storage container decryption keys, allowing for the copying of customer vault backup data from the encrypted storage container.The backup data contained both unencrypted data, such as website URLs, as well as website usernames and passwords, secure notes, and form-filled data, which had an additional layer of encryption using 256-bit AES. The new details explain how the threat actor obtained the S3 encryption keys.
Monday’s update said that the tactics, techniques, and procedures used in the first incident were different from those used in the second one and that, as a result, it wasn’t initially clear to investigators that the two were directly related. During the second incident, the threat actor used information obtained during the first one to enumerate and exfiltrate the data stored in the S3 buckets.
“Alerting and logging was enabled during these events, but did not immediately indicate the anomalous behavior that became clearer in retrospect during the investigation,” LastPass officials wrote. “Specifically, the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, which initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity.”
LastPass learned of the second incident from Amazon's warnings of anomalous behavior when the threat actor tried to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.
According to a person briefed on a private report from LastPass who spoke on the condition of anonymity, the media software package that was exploited on the employee’s home computer was Plex. Interestingly, Plex reported its own network intrusion on August 24, just 12 days after the second incident commenced. The breach allowed the threat actor to access a proprietary database and make off with password data, usernames, and emails belonging to some of its 30 million customers. Plex is a major provider of media streaming services that allow users to stream movies and audio, play games, and access their own content hosted on home or on-premises media servers.It's not clear if the Plex breach has any connection to the LastPass intrusions. Representatives of LastPass and Plex didn’t respond to emails seeking comment for this story.
The threat actor behind the LastPass breach has proven especially resourceful, and the revelation that it successfully exploited a software vulnerability on the home computer of an employee further reinforces that view. As Ars advised in December, all LastPass users should change their master passwords and all passwords stored in their vaults. While it’s not clear whether the threat actor has access to either, the precautions are warranted.
Update Wed March 1 9:06 AM: A day after this post went live, a Plex representative wrote in an email: “We have not been contacted by LastPass so we cannot speak to the specifics of their incident. We take security issues very seriously, and frequently work with external parties who report issues big or small using our guidelines and bug bounty program. When vulnerabilities are reported following responsible disclosure we address them swiftly and thoroughly, and we’ve never had a critical vulnerability published for which there wasn’t already a patched version released. And when we’ve had incidents of our own, we’ve always chosen to communicate them quickly. We are not aware of any unpatched vulnerabilities, and as always, we invite people to disclose issues to us following the guidelines linked above. Given recent articles about the LastPass incident, although we are not aware of any unpatched vulnerabilities, we have reached out to LastPass to be sure.”
Promoted Comments