LastPass, which disclosed a serious data breach in December 2022 that allowed attackers to gain access to encrypted password vaults, found that the same adversary launched a second attack on the company’s systems. said to have occurred as
According to the company, one of its DevOps engineers compromised an individual’s home computer and infected it with a keylogger as part of an ongoing cyberattack to steal sensitive data from Amazon AWS cloud storage servers.
“Threat actors launched a coordinated second attack leveraging information stolen from the initial incident, information obtained from a third-party data breach, and vulnerabilities in third-party media software packages. ” said the password management service.
The intrusion targeted the company’s infrastructure, resources, and one of its employees from August 12, 2022 to October 26, 2022. Meanwhile, the first incident ended on August 12, 2022.
In the August breach, an intruder used one compromised employee account to access source code and proprietary technical information from a development environment.
In December 2022, LastPass disclosed that attackers used stolen information to gain access to a cloud-based storage environment and obtain “certain elements of customer information.”
Later that same month, it was revealed that an unknown attacker had gained access to backups of customer vault data, which they said were protected using 256-bit AES encryption. It’s not clear when the backup was made.
GoTo, the parent company of LastPass, also acknowledged a breach last month stemming from unauthorized access to a third-party cloud storage service.
According to the company, the attackers launched a new series of “reconnaissance, enumeration and exfiltration campaigns” targeting the company’s cloud storage service between August and October 2022.
“Specifically, the attackers were able to access a shared cloud storage environment using valid credentials stolen from a senior DevOps engineer,” LastPass said. We were able to access the required decryption key,” he added.
This allowed the malicious actor to gain access to AWS S3 buckets that house LastPass customer backups and encrypted vault data.
Is your business ready for the top SaaS 🛡️ security challenges of 2023? Learn how to tackle them – join the webinar today!
Employee passwords were allegedly siphoned by targeting individuals’ home computers, leveraging “vulnerable third-party media software packages” to achieve remote code execution, and planting keylogger software.
“The threat actor was able to obtain the employee’s master password entered and access the DevOps engineer’s LastPass corporate vault after the employee was authenticated with MFA,” LastPass said.
LastPass did not disclose the name of the third-party media software used, but indicated it could be Plex. base Based on the fact that it underwent a unique breach in late August 2022.
In the aftermath of the incident, LastPass upgraded its security posture by rotating critical and highly privileged credentials, reissuing attacker-obtained certificates, and applying additional S3 hardening measures to improve logging. and introduced an alert mechanism.
LastPass users are strongly encouraged to change their master password and all passwords stored in their vaults to reduce potential risks (if they haven’t done so already).
