LastPass reports that the same threat actor who breached its systems in August used exfiltrated data to target the home computer of an engineer and launch a second successful cyberattack. Password management company LastPass, which was hit by two data breaches last year, has revealed that data exfiltrated during the first intrusion, discovered in August, was used to target the personal home computer of one of its devops engineers and launch a second successful cyberatttack, detected in November.The threat actor involved in the breaches infected the engineer’s home computer with a keylogger, which recorded information that enabled a cyberattack that exfiltrated sensitive information from the company’s AWS cloud storage servers, LastPass said in a cybersecurity incident update Monday.The company had divulged information about the data breaches last year; the update reveals for the first time that the same threat actor was responsible for both breaches. The first intrusion ended on August 12 last year. However, LastPass now says that the threat actor was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activity aimed at the company’s the cloud storage environment from August 12 to October 26, 2022. “The observed tactics, techniques, and procedures (TTPs), as well as the indicators of compromise (IOCs) of the second incident were not consistent with those of the first. While proximal in terms of timeline, it was not initially obvious that the two incidents were directly related,” LastPass said in its update. There has been no activity by the threat actor after October 26, the company added.The developer whose home computer was infected with the keylogger was only one of four devops engineers in the company who had access to the decryption keys of encrypted Amazon S3 buckets. LastPass engineer’s master password stolen“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the devops engineer’s LastPass corporate vault,” LastPass said. The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups. The use of valid credentials made it difficult for the company’s investigators to detect the threat actor’s activity. In the first intrusion, in August, a software engineer’s corporate laptop was compromised, allowing the threat actor to gain access to a cloud-based development environment and steal source code, technical information, and certain LastPass internal system secrets, LastPass CEO Karim Toubba said in a blog addressed to customers. No customer data or vault data was stolen during this incident, as LastPass did not have any customer or vault data in the development environment. Stolen data used to gain access in second breach“We declared this incident closed but later learned that information stolen in the first incident was used to identify targets and initiate the second incident,” Toubba said. During the first incident, the threat actor was able to access on-demand, cloud-based development and source code repositories of 14 out of 200 software repositories.Internal scripts from the repositories — which contained company secrets and certificates as well as internal documentation including technical information that described how the development environment operated — were also accessed by the threat actor.In the second incident, the threat actor used the information stolen in the first intrusion to target a senior devops engineer and exploit vulnerable third-party software to install a keylogger, Toubba said. The threat actor leveraged information from the keylogger malware, including the engineer’s credentials, to bypass and ultimately gain access to cloud backups. The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted customer data, the company said. The threat actor also accessed devops secrets including information used to gain access to cloud-based backup storage. Access to a backup of the LastPass multifactor authentication (MFA) and federation database that contained copies of the company’s authenticator seeds, telephone numbers used for MFA backup, as well as a split-knowledge component (the K2 “key”) used for LastPass federation, was also gained by threat actor, LastPass said. The identity of the threat actor and their motivation is unknown. There has been no contact or demands made, and there has been no detected credible underground activity indicating that the threat actor is actively engaged in marketing or selling any information obtained during either incident, LastPass said. Remediation actions taken There have been several steps that LastPass has taken to strengthen its security in the wake of the incidents. “We invested a significant amount of time and effort hardening our security while improving overall security operations,” the CEO said. Some of this included assisting devops engineers with hardening the security of their home network and personal resources, rotating critical and high privilege credentials, and enabling custom analytics that can detect ongoing abuse of AWS resources. LastPass says it has have millions of users and more than 100,000 businesses as customers. Related content news F5 patches BIG-IP Next Central Manager flaws that could lead to device takeover Two high-risk vulnerabilities could be exploited to allow attackers to gain full administrative control on devices via leaked password hashes. By Lucian Constantin May 08, 2024 5 mins Threat and Vulnerability Management Cloud Security Vulnerabilities news Suspected Chinese hack of Britain’s Ministry of Defence payroll linked to government contractor, minister confirms The UK’s defence minister would not confirm that the attack was conducted by an element of the Chinese state, rather blaming the “potential failings” of a partner. By John Dunn May 08, 2024 4 mins Aerospace and Defense Industry Data Breach Government news analysis Massive security hole in VPNs shows their shortcomings as a defensive measure Researchers found a deep, unpatchable flaw in virtual private networks dubbed Tunnelvision can allow attackers to siphon off data without any indication that they are there. By Evan Schuman May 08, 2024 8 mins Threat and Vulnerability Management Data and Information Security Network Security news DocGo says hackers stole patient data in a recent cyberattack The attack compromised some healthcare data with no material or financial losses, the company said. By Shweta Sharma May 08, 2024 3 mins Data Breach Hacking PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe