On Monday, LastPass said on Monday that the same attacker hacked into an employee’s personal computer and obtained a decrypted vault accessible to a handful of enterprise developers.
Although an initial intrusion into LastPass ended on August 12, officials at the leading password manager said the threat actor “is actively engaged in a new series of reconnaissance, enumeration, and exfiltration” from August 12 to 26. An unknown malicious actor was able to steal valid credentials from a senior DevOps engineer and gain access to the contents of a LastPass data vault. Among other things, the vault provided access to a shared cloud storage environment that contained encryption keys for client vault backups stored in Amazon S3 buckets.
Another bomb drops
“This was accomplished by targeting the DevOps engineer’s personal computer and exploiting a vulnerable third-party multimedia software package, which enabled remote code execution capability and allowed the threat actor to plant keylogger malware,” LastPass officials wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the employee’s LastPass corporate vault. the DevOps engineer.”
The hacked DevOps engineer was one of only four LastPass employees with access to the company vault. Once in possession of the decrypted vault, the threat actor exported the entries, including “decryption keys needed to access AWS S3 LastPass production backups, other cloud-based storage resources and certain associated critical database backups”.
Monday’s update comes two months after LastPass released a previous explosive update which indicated for the first time that, contrary to previous claims, attackers had obtained client vault data containing both data encrypted and unencrypted. LastPass then said that the threat actor also obtained a cloud storage access key and decryption keys from the duplicate storage container, allowing the client’s vault backup data to be copied from of the encrypted storage container.
The backup data contained both unencrypted data, such as website URLs, as well as website usernames and passwords, secure notes, and form-completed data, which had a additional layer of encryption using 256-bit AES. The new details explain how the threat actor obtained the S3 encryption keys.
Monday’s update said the tactics, techniques and procedures used in the first incident were different from those used in the second and therefore it was not initially clear to investigators that the two were directly linked. . In the second incident, the threat actor used the information obtained in the first to enumerate and exfiltrate data stored in S3 buckets.
“Alert and logging were enabled during these events, but did not immediately indicate the anomalous behavior that became clearer in retrospect during the investigation,” LastPass officials wrote. “Specifically, the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to gain access to a shared cloud storage environment, which initially made it difficult for investigators to tell the difference. between the threat actor’s activity and the ongoing legitimate activity.”
LastPass became aware of the second incident through warnings from Amazon about abnormal behavior when the threat actor attempted to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.
According to a person briefed on a private LastPass report and speaking on condition of anonymity, the media package running on the employee’s personal computer was Plex. Interestingly, Plex reported its own network intrusion on August 24, just 12 days after the second incident began. The breach allowed the threat actor to gain access to a proprietary database and steal password data, usernames and emails belonging to some of its 30 million clients. Plex is a major provider of media streaming services that allow users to stream movies and audio, play games, and access their own content hosted on home or on-premises media servers.
It’s unclear if the Plex breach has anything to do with the LastPass intrusions. Representatives for LastPass and Plex did not respond to emails seeking comment on this story.
The threat actor behind the LastPass breach has proven to be particularly resourceful, and the revelation that he successfully exploited a software vulnerability on an employee’s personal computer further reinforces this view. . As Ars advised in December, all LastPass users should change their master passwords and any passwords stored in their vaults. While it’s unclear if the threat actor has access to either, the precautions are warranted.