LastPass has revealed that the menace actors who breached the corporate’s techniques in December 2022 did so by leveraging info stolen by way of a earlier assault in August.
In a weblog put up on Monday, the corporate stated that whereas no buyer knowledge was stolen within the August 2022 incident, some supply code and technical info had been obtained from the LastPass growth setting by way of a house laptop belonging to a DevOps engineer.
From a technical standpoint, the knowledge was obtained by way of a keylogger put in on the worker’s machine by exploiting a distant code execution (RCE) vulnerability in a third-party media software program package deal.
This info was then used to focus on one other worker, the corporate stated, with menace actors acquiring credentials and keys later used to entry and decrypt sure storage volumes inside the cloud-based storage service within the December assault.
“We’ve got decided that when the cloud storage entry key and twin storage container decryption keys had been obtained, the menace actor copied info from backup that contained fundamental buyer account info and associated metadata,” the corporate wrote.
These embody firm names, end-user names, billing addresses, e-mail addresses and phone numbers, in addition to the IP addresses utilized by prospects to entry the LastPass web site.
“The menace actor was additionally capable of copy a backup of buyer vault knowledge from the encrypted storage container, which is saved in a proprietary binary format that incorporates each unencrypted knowledge, resembling web site URLs, in addition to fully-encrypted delicate fields, resembling web site usernames and passwords, safe notes, and form-filled knowledge,” LastPass continued.
In accordance with Martin Mackay, CRO at Versa Networks, the breach updates by LastPass are a stark reminder that distant working and BYOD (convey your personal machine) are more and more blurring the strains between residence and work networks.
“Folks assume that if a private residence laptop has nothing of worth on it, then it will not be a goal for cyber-criminals; nevertheless, that is merely not true,” Mackay advised Infosecurity in an e-mail.
“Menace actors will use any safety hole or weak point to initially breach the community, after which transfer laterally throughout to their supposed goal – on this case; it was company knowledge from cloud storages.”
Extra usually, Javvad Malik, lead safety consciousness advocate at KnowBe4, stated the incident is a persistent textbook assault the place menace actors elevated their foothold in phases and with out dashing.
“Many occasions we see statements from organizations which have suffered a breach downplaying the incident and stating that no monetary knowledge was stolen,” Malik advised Infosecurity by way of e-mail.
“However no incident needs to be thought of small and needs to be totally investigated to make sure that any stolen info can’t be used to launch additional focused assaults.”
Extra details about the LastPass breach is accessible on this evaluation by Infosecurity deputy editor James Coker.