Password administration firm LastPass, which was hit by two information breaches final yr, has revealed that information exfiltrated throughout the first intrusion, found in August, was used to focus on the non-public dwelling pc of one in every of its devops engineers and launch a second profitable cyberatttack, detected in November.
The risk actor concerned within the breaches contaminated the engineer’s dwelling pc with a keylogger, which recorded info that enabled a cyberattack that exfiltrated delicate info from the corporate’s AWS cloud storage servers, LastPass mentioned in a cybersecurity incident replace Monday.
The corporate had divulged details about the information breaches final yr; the replace reveals for the primary time that the identical risk actor was answerable for each breaches.
The primary intrusion ended on August 12 final yr. Nonetheless, LastPass now says that the risk actor was actively engaged in a brand new sequence of reconnaissance, enumeration, and exfiltration exercise aimed on the firm’s the cloud storage surroundings from August 12 to October 26, 2022.
“The noticed techniques, strategies, and procedures (TTPs), in addition to the indications of compromise (IOCs) of the second incident weren’t in line with these of the primary. Whereas proximal when it comes to timeline, it was not initially apparent that the 2 incidents have been straight associated,” LastPass mentioned in its replace. There was no exercise by the risk actor after October 26, the corporate added.
The developer whose dwelling pc was contaminated with the keylogger was solely one in every of 4 devops engineers within the firm who had entry to the decryption keys of encrypted Amazon S3 buckets.
LastPass engineer’s grasp password stolen
“The risk actor was in a position to seize the worker’s grasp password because it was entered, after the worker authenticated with MFA, and acquire entry to the devops engineer’s LastPass company vault,” LastPass mentioned.
The risk actor then exported the native company vault entries and content material of shared folders, which contained encrypted safe notes with entry and decryption keys wanted to entry the AWS S3 LastPass manufacturing backups, different cloud-based storage assets, and a few associated important database backups.
The usage of legitimate credentials made it tough for the corporate’s investigators to detect the risk actor’s exercise.
Within the first intrusion, in August, a software program engineer’s company laptop computer was compromised, permitting the risk actor to achieve entry to a cloud-based improvement surroundings and steal supply code, technical info, and sure LastPass inner system secrets and techniques, LastPass CEO Karim Toubba mentioned in a weblog addressed to clients.
No buyer information or vault information was stolen throughout this incident, as LastPass didn’t have any buyer or vault information within the improvement surroundings.
Stolen information used to achieve entry in second breach
“We declared this incident closed however later realized that info stolen within the first incident was used to establish targets and provoke the second incident,” Toubba mentioned.
Throughout the first incident, the risk actor was in a position to entry on-demand, cloud-based improvement and supply code repositories of 14 out of 200 software program repositories.
Inner scripts from the repositories — which contained firm secrets and techniques and certificates in addition to inner documentation together with technical info that described how the event surroundings operated — have been additionally accessed by the risk actor.
Within the second incident, the risk actor used the data stolen within the first intrusion to focus on a senior devops engineer and exploit weak third-party software program to put in a keylogger, Toubba mentioned.
The risk actor leveraged info from the keylogger malware, together with the engineer’s credentials, to bypass and finally acquire entry to cloud backups. The information accessed from these backups included system configuration information, API secrets and techniques, third-party integration secrets and techniques, and encrypted and unencrypted buyer information, the corporate mentioned.
The risk actor additionally accessed devops secrets and techniques together with info used to achieve entry to cloud-based backup storage. Entry to a backup of the LastPass multifactor authentication (MFA) and federation database that contained copies of the corporate’s authenticator seeds, phone numbers used for MFA backup, in addition to a split-knowledge part (the K2 “key”) used for LastPass federation, was additionally gained by risk actor, LastPass mentioned.
The id of the risk actor and their motivation is unknown. There was no contact or calls for made, and there was no detected credible underground exercise indicating that the risk actor is actively engaged in advertising and marketing or promoting any info obtained throughout both incident, LastPass mentioned.
Remediation actions taken
There have been a number of steps that LastPass has taken to strengthen its safety within the wake of the incidents. “We invested a major quantity of effort and time hardening our safety whereas bettering general safety operations,” the CEO mentioned.
A few of this included aiding devops engineers with hardening the safety of their dwelling community and private assets, rotating important and excessive privilege credentials, and enabling customized analytics that may detect ongoing abuse of AWS assets. LastPass says it has have thousands and thousands of customers and greater than 100,000 companies as clients.
Copyright © 2023 IDG Communications, Inc.
