LastPass revealed more information on a "coordinated second attack," where a threat actor accessed and stole data from the Amazon AWS cloud storage servers for over two months.
LastPass disclosed a breach in December where threat actors stole partially encrypted password vault data and customer information.
The company has now disclosed how the threat actors performed this attack, stating that they used information stolen in an August breach, information from another data breach, and a remote code execution vulnerability to install a keylogger on a senior DevOps engineer's computer.
LastPass says this second coordinated attack used the stolen data from the first breach to gain access to the company's encrypted Amazon S3 buckets.
As only four LastPass DevOps engineers had access to these decryption keys, the threat actor targeted one of the engineers. Ultimately, the hackers successfully installed a keylogger on the employee's device by exploiting a remote code execution vulnerability in a third-party media software package.
"The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer's LastPass corporate vault," reads a new security advisory published today.
"The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups."
The use of valid credentials made it difficult for the company's investigators to detect the threat actor's activity, allowing the hacker to access and steal data from LastPass' cloud storage servers for over two months, between August 12, 2022, to October 26, 2022.
LastPass ultimately detected the anomalous behavior through AWS GuardDuty Alerts when the threat actor attempted to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.
The company says they have since updated their security posture, including rotating sensitive credentials and authentication keys/tokens, revoking certificates, adding additional logging and alerting, and enforcing stricter security policies.
A large amount of data was accessed
As part of today's disclosure, LastPass has released more detailed information on what customer information was stolen in the attack.
Depending on the particular customer, this data is wide and varied, ranging from Multifactor Authentication (MFA) seeds, MFA API integration secrets, and to Split knowledge component (“K2”) Key for Federated business customers.
A complete list of stolen data is below, with a more detailed and easier-to-read chart on a support page.
Summary of data accessed in Incident 1:
On-demand, cloud-based development and source code repositories – this included 14 of 200 software repositories.
Internal scripts from the repositories – these contained LastPass secrets and certificates.
- Internal documentation – technical information that described how the development environment operated.
Summary of data accessed in Incident 2:
DevOps Secrets – restricted secrets that were used to gain access to our cloud-based backup storage.
Cloud-based backup storage – contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data. All sensitive customer vault data, other than URLs, file paths to installed LastPass Windows or macOS software, and certain use cases involving email addresses, were encrypted using our Zero knowledge model and can only be decrypted with a unique encryption key derived from each user’s master password. As a reminder, end user master passwords are never known to LastPass and are not stored or maintained by LastPass – therefore, they were not included in the exfiltrated data.
Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.
All of today's support bulletins are not easy to find, with none of them listed in search engines, as the company added <meta name="robots" content="noindex">
HTML tags to the document to prevent them from being indexed by search engines.
LastPass released a PDF titled "Security Incident Update and Recommended Actions," which contains further information about the breach and the stolen data.
The company also created support documents containing recommended actions that should be taken for Free, Premium, and Families customers and LastPass Business Administrators.
These bulletins contain recommended steps to harden your LastPass account and integration further.
LastPass later told BleepingComputer that these articles were noindexed as they were part of an advanced disclosure to allow business administrators to prepare their company ahead of the planned public announcement.
LastPass also stated that the blog posts are now indexed and available to the public since March 1st and a link has been sent to all customers.”
Update 2/28/22: Added additional links to resources.
Updated 3/3/22: Added new statement from LastPass.
Comments
Icepop33 - 1 year ago
Much detail as always, good reporting. Anything is better than p@ssword123 ad infinitum, but I don't personally want to put all the eggs in one basket I don't control, either.
On a related note, my biggest worry with the newer "federated" authentication systems on the horizon is the mud and sharp glass you will be dragged through to convince whomever you must convince that you are really who you say you are when the system inevitably fails or is sabotaged. No thank you.
I already experienced that with a Microsoft-related age-gated game login which took precedence over all previous verification of identity with Skype with the only remedy to access my account ever again being to send my passport to some obscure address back east and hope and pray and chant. Some security there. It wasn't worth the ~$20 in my account that they got to "absorb" to pursue any other avenue. Baseball bats cost more than that.The experience was incredibly dystopian and I would relate the full story here, but I can't afford the anger management refresher class. Just don't let your pets know how easy it would be for them to lock you out of your Skype account forever, because they will use it against you. One less thing you can pay attention to that's not them.
Now extend the possibility of that kind of experience to every facet of your life and you can keep your centralized authentication systems, because humans are just as dumb today as they were that other day.
Icepop33 - 1 year ago
I want to further add that the penultimate problem with these black box systems being employed to perform authentication at scale for all participating (or perhaps it will be mandatory) entities in commerce is that when they fail, they bring down the whole village of card houses, not just one. There may be actually nothing within logical reason you can do except perhaps to rebuild your identity from scratch with no resources to live on; there may well be nothing "they" can do for you either, assuming you won't be treated like a criminal for attempting to impersonate yourself. You will likely have no recourse, but somebody with knowledge of the system or access to it, who is very much in the business of impersonating others is always going to have a leg up on being more YOU than you. A weak analogy might be copy protection. The only people it inconveniences would be the paying user with no penchant for "workarounds".
However, we need to brace ourselves, because it's the next thing.. The cows will follow the other cow moving faster and breaking fences, no matter how stupid it is if you stand back from the development environment and look at it critically. They believe technology can fix anything, these cows do, especially the bottom line. I personally believe it will culminate in a disastrous, dehumanizing clusterf*, ripe for abuse, especially considering how adversarial humans still are in this enlightened age, but I don't have to be a savant to see that because it's already happening incrementally. We're being led by the nose, we know it, we don't think we can do anything about it, and so the cancer grows larger in the pit of our souls.
/rant