{"id":88397,"date":"2023-02-28T07:45:00","date_gmt":"2023-02-28T07:45:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/?p=88397"},"modified":"2023-02-28T07:45:00","modified_gmt":"2023-02-28T07:45:00","slug":"lastpass-attack-saw-employees-home-computer-hacked","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=88397","title":{"rendered":"LastPass attack saw employee\u2019s home computer hacked"},"content":{"rendered":"<div><img decoding=\"async\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/02\/lastpass-attack-saw-employees-home-computer-hacked.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>The threat actor behind <a href=\"https:\/\/blog.lastpass.com\/2022\/12\/notice-of-recent-security-incident\/\">a series of compromises<\/a> of credential management specialist LastPass attacked a DevOps engineer\u2019s home computer to gain access to the organisation\u2019s decryption keys, it has emerged.<\/p>\n<p><a href=\"https:\/\/www.computerweekly.com\/news\/252524346\/LastPass-breach-limited-in-scale-and-well-managed-say-experts\">The first attack took place in August 2022<\/a>, and saw LastPass praised for its swift response to the incident, which saw the attacker access some source code and proprietary technical information.<\/p>\n<p>They then used the information obtained at that point \u2013 prior to a reset completed by LastPass \u2013 to enumerate and exfiltrate data from cloud storage resources, in a second, deeper and longer-lasting intrusion, <a href=\"https:\/\/www.computerweekly.com\/news\/252527880\/LastPass-probes-new-cyber-incident-related-to-August-attack\">disclosed in December 2022<\/a>, that saw them <a href=\"https:\/\/blog.lastpass.com\/2022\/12\/notice-of-recent-security-incident\/\">access customer data<\/a>.<\/p>\n<p>Compromised customer data included account information such as company and user names, billing addresses, email addresses, telephone numbers and IP addresses from where they accessed LastPass.<\/p>\n<p>The cyber criminals also accessed a backup of customer vault data including encrypted fields, but as these are encrypted with 256-bit AES encryption and can only be decrypted using a key derived from the user\u2019s master password, which is never known by LastPass, this would be very difficult to achieve as long as the user was following recommended best practice.<\/p>\n<p>Initially, LastPass revealed only that the attacker targeted a developer\u2019s endpoint, but the investigation has now turned up more details.<\/p>\n<p>\u201cDue to the security controls protecting and securing the on-premise datacentre installations of LastPass production, the threat actor targeted one of the four DevOps engineers who had access to the decryption keys needed to access the cloud storage service,\u201d <a href=\"https:\/\/support.lastpass.com\/help\/incident-2-additional-details-of-the-attack?uuid=dWiqMp06V4pkaMwU0470\">LastPass revealed in a new update<\/a>.<\/p>\n<p>\u201cThis was accomplished by targeting the DevOps engineer\u2019s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution [RCE] capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee\u2019s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer\u2019s LastPass corporate vault.<\/p>\n<p>\u201cThe threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources and some related critical database backups,\u201d the organisation said.<\/p>\n<p>It added that the engineer in question has been receiving support in hardening their home network and equipment.<\/p>\n<p>LastPass said that due to the differing tactics, techniques and procedures (TTPs) used in the attack chain, it had not been immediately obvious that what appeared at first to be two different incidents <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/podcast\/Risk-Repeat-Breaking-down-the-LastPass-breach\">were in fact linked<\/a>.<\/p>\n<p>Additionally, it added, alerting and logging had been enabled throughout the events but did not immediately indicate the anomalous behaviour that later became more obvious. The fact that the unlucky engineer\u2019s valid credentials were being used to access a shared cloud storage environment made it harder to differentiate between legitimate and illegitimate activity.<\/p>\n<p>Ultimately, LastPass said, it had AWS to thank \u2013 it was the supplier\u2019s GuardDuty Alerts that flagged anomalous behaviour as the attacker tried to use cloud identity and access management roles to perform unauthorised activity.<\/p>\n<p>Since the attack, LastPass has taken a number of steps to harden its own cyber security, including rotating critical and high-privilege credentials, revoking and reissuing the compromised certificates, and applying additional hardening measures to its AWS S3 resources.<\/p>\n<p>Given the apparent failings in its ability to respond swiftly to alerts, it has also revised its threat detection and response coverage, and on-boarded new automated and managed services to assist with this, including custom analytics to detect potential abuse of AWS resources.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The threat actor behind a series of compromises of credential management specialist LastPass attacked a DevOps engineer\u2019s home computer to gain access to the organisation\u2019s decryption keys, it has emerged. The first attack took place in August 2022, and saw LastPass praised for its swift response to the incident, which saw the attacker access some [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":88398,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-88397","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/88397","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=88397"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/88397\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/88398"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=88397"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=88397"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=88397"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}