LastPass breach tied to hack of engineer's home computer
LastPass said a threat actor hacked an employee's home computer to access a corporate password vault and steal decryption keys for its product backups and cloud storage resources.
A major LastPass breach that occurred in November involved the compromise of a DevOps engineer's home computer, according to the password manager.
LastPass on Monday provided additional details surrounding the two breaches it suffered last year. The first incident was initially disclosed last August and involved the theft of "proprietary LastPass technical information" and source code.
The second incident was first disclosed as an incident "under investigation" in late November before being detailed in a Dec. 22 blog post update. According to LastPass CEO Karim Toubba, an unnamed threat actor used data obtained from the August breach to target an employee and steal credentials and decryption keys.
One of Monday's updates provided further details on how the threat actor stole the keys -- by hacking into the home system of a LastPass DevOps engineer who had access to "a highly restricted set of shared folders" in a corporate LastPass vault. Those shared folders contained a bevy of sensitive data, including decryption keys for crucial cloud resources.
These keys allowed the threat actor to copy and exfiltrate certain customer data from backups. This data included company and end-user names, billing addresses, telephone numbers and more. The actor also obtained a backup of customer vault data containing encrypted website usernames and passwords, plus unencrypted data such as website URLs. This second, highly publicized incident led to criticism against the password manager.
The vendor's updates provided a more complete picture of the events surrounding both breaches according to its investigation. LastPass also published a security incident document that compiled all relevant details into one file.
'Incident 1'
LastPass said in the first incident's post that it was first alerted to suspicious activity on Aug. 12, "in a cloud-based development environment used for on-demand and pre-production development, integration, testing, and validation."
The password manager said it observed patterns of behavior that were inconsistent with the software engineering employee who was shown to have accessed the development resources, and it quickly became clear that "the software engineer's corporate laptop had been compromised to allow access to resources to which the engineer was legitimately granted access."
LastPass launched its incident response the following day with the assistance of Mandiant. The password manager said the initial threat vector is currently unknown due to "anti-forensic activity" performed by the actor. The compromised laptop contained an endpoint detection and response agent, which was "tampered with" and not triggered during the breach.
However, the investigation did still find significant details regarding the threat actor's behavior.
"The threat actor used third-party VPN services to obfuscate the origin of their activity when accessing the cloud-based development environment and used its access to impersonate the software engineer," the post read. "Using this approach, they were able to 'tailgate' into the on-demand development environment via our corporate VPN, as well as a dedicated connection to the cloud-based development environment. They did so by relying upon the software engineer's successful authentication with domain credentials and MFA. No privilege escalation was identified or required."
The threat actor accessed technical documentation and source code, enabling them to "exfiltrate 14 of approximately 200 source code repositories of various components of the LastPass service."
"Some of these source code repositories included cleartext embedded credentials, stored digital certificates related to our development environments, and some encrypted credentials used for production capabilities such as backup," the post read. "These encrypted credentials require a separate decryption key which was not available to the software engineer or the threat actor during this incident."
In the second incident's post, LastPass said the threat actor used data obtained from the initial attack, third-party breach data and a flaw in an unnamed "third-party media software package" to launch the second attack.
'Incident 2'
The password manager revealed that both attacks were part of one overall campaign. After LastPass caught on to the threat activity on Aug. 12, the actor "actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment" that lasted until Oct. 26.
"The second incident saw the threat actor quickly make use of information exfiltrated during the first incident, prior to the reset completed by our teams, to enumerate and ultimately exfiltrate data from the cloud storage resources," LastPass said.
To access the cloud resources that the threat actor ultimately accessed -- which included "AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups" -- the threat actor needed AWS access keys and LastPass-generated decryption keys.
To decrypt the encrypted credentials obtained from the first attack and required for the second, the threat actor needed to access either a "segregated and secured" orchestration platform and key-value store, or a set of shared folders in a LastPass password management vault used by DevOps engineers. The actor opted for the latter.
They targeted one of the four DevOps engineers who had access to the corporate LastPass vault containing the necessary decryption keys, and succeeded by gaining access to the engineer's home computer via a remote code execution exploit in the aforementioned third-party media software package. The attacker installed keylogger malware on the engineer's computer.
"The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer's LastPass corporate vault," the update said.
TechTarget Editorial asked for additional details regarding the implementation of multifactor authentication, but LastPass has not responded at press time.
Both posts also contain bulleted lists of actions LastPass has taken as part of the investigation and incident response. They included rotating credentials, purchasing hardware authentication devices for developers and deploying new security solutions.
Alexander Culafi is a writer, journalist and podcaster based in Boston.