The threat actor behind a series of compromises of credential management specialist LastPass attacked a DevOps engineer’s home computer to gain access to the organisation’s decryption keys, it has emerged.
The first attack took place in August 2022, and saw LastPass praised for its swift response to the incident, which saw the attacker access some source code and proprietary technical information.
They then used the information obtained at that point – prior to a reset completed by LastPass – to enumerate and exfiltrate data from cloud storage resources, in a second, deeper and longer-lasting intrusion, disclosed in December 2022, that saw them access customer data.
Compromised customer data included account information such as company and user names, billing addresses, email addresses, telephone numbers and IP addresses from where they accessed LastPass.
The cyber criminals also accessed a backup of customer vault data including encrypted fields, but as these are encrypted with 256-bit AES encryption and can only be decrypted using a key derived from the user’s master password, which is never known by LastPass, this would be very difficult to achieve as long as the user was following recommended best practice.
Initially, LastPass revealed only that the attacker targeted a developer’s endpoint, but the investigation has now turned up more details.
“Due to the security controls protecting and securing the on-premise datacentre installations of LastPass production, the threat actor targeted one of the four DevOps engineers who had access to the decryption keys needed to access the cloud storage service,” LastPass revealed in a new update.
“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution [RCE] capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.
“The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources and some related critical database backups,” the organisation said.
It added that the engineer in question has been receiving support in hardening their home network and equipment.
LastPass said that due to the differing tactics, techniques and procedures (TTPs) used in the attack chain, it had not been immediately obvious that what appeared at first to be two different incidents were in fact linked.
Additionally, it added, alerting and logging had been enabled throughout the events but did not immediately indicate the anomalous behaviour that later became more obvious. The fact that the unlucky engineer’s valid credentials were being used to access a shared cloud storage environment made it harder to differentiate between legitimate and illegitimate activity.
Ultimately, LastPass said, it had AWS to thank – it was the supplier’s GuardDuty Alerts that flagged anomalous behaviour as the attacker tried to use cloud identity and access management roles to perform unauthorised activity.
Since the attack, LastPass has taken a number of steps to harden its own cyber security, including rotating critical and high-privilege credentials, revoking and reissuing the compromised certificates, and applying additional hardening measures to its AWS S3 resources.
Given the apparent failings in its ability to respond swiftly to alerts, it has also revised its threat detection and response coverage, and on-boarded new automated and managed services to assist with this, including custom analytics to detect potential abuse of AWS resources.