Leon Neal Getty Images
Already learning from a breach that put encrypted login information in the hands of threat actors, LastPass on Monday said an attacker hacked into an employee’s computer and got hold of existing passwords. for only a few company developers.
Although the LastPass hack ended on August 12, officials with the password manager said the threat actor “engaged in a new pattern of research, census, and hacking activities.” kwabri” from August 12 to August 26. An unknown threat actor was able to steal valid credentials from a senior DevOps engineer and gain access to the contents of the LastPass database. Among other things, the repository provides access to a shared cloud storage environment that contains encryption keys for customer backups stored in Amazon S3 buckets.
A bomb fell
“This was accomplished by targeting a DevOps engineer’s home computer and exploiting a vulnerable third-party software package, which allowed remote code execution and allowed a threat actor to plant malware, ” said LastPass officials. “The threat actor was able to capture an employee’s master password as it was entered, after the employee authenticated with MFA, and gained access to LastPass’ enterprise DevOps suite.”
The DevOps engineer who was hacked was one of four LastPass employees who had access to corporate sites. Once the encryption is mastered, the threat actor extracts the installation, including “the encryption keys needed to access AWS S3 LastPass backups, other cloud-based resources, and other sensitive database information.”
Monday’s update comes two months after LastPass released a new bombshell that for the first time said that, contrary to previous claims, attackers had access to customer backups containing personal and confidential information. . LastPass said the threat actor also obtained the cloud storage access key and the keys of the two encrypted containers, which allows to copy the customer’s backup data from the encrypted vault.
The saved data includes both non-encrypted data, such as website URLs, as well as website usernames and passwords, secure notes, and details, which are further encrypted using and 256-bit AES. New details reveal how the threat actor obtained the S3 encryption keys.
Monday’s statement said the tactics, techniques, and methods used in the first case were different from those used in the second case, and as a result, were not initially disclosed to investigators. that the two are directly related. During the second event, the actor uses the information obtained during the first event to calculate and extract the data stored in the S3 bucket.
“Alerts and logging were activated during these events, but the situation was not immediately apparent which became known earlier during the investigation,” LastPass officials said. “In particular, the threat actor was able to use valid credentials stolen from a senior DevOps engineer to gain access to the cloud storage environment, which initially made it difficult for researchers to distinguish between the actor’s activities threats and ongoing halal activities.”
LastPass learned the second incident from Amazon’s warning about malicious behavior when a threat actor tries to use Cloud Identity and Access Management (IAM) roles to perform unauthorized actions.
According to a person briefed on a confidential report from LastPass and speaking on condition of anonymity, the media software package used on the employee’s home computer was Plex. Interestingly, Plex reported the network breach on August 24, just 12 days after the second incident. This breach allowed the attacker to gain access to the private databases and access the personal information, usernames, and emails of some of its 30 million customers. Plex is a major streaming media service provider that allows users to stream movies and audio, play games, and access their own content hosted on a local or on-premises media server.
It’s not clear if the Plex breach is related to the LastPass hack. Representatives for LastPass and Plex did not respond to emails seeking comment for this story.
The threat actor after the LastPass breach has proven particularly dangerous, and the revelation that he managed to use a vulnerable software on the home computer of an employee further strengthens this opinion. As Ars suggested in December, all LastPass users should change their passwords and all passwords stored in their vaults. While it is not clear whether a threat actor has access to either, caution is warranted.
#LastPass #computer #operators #home #hacked #vault