A data breach was disclosed at subscription password manager provider LastPass in December 2022. The incident involved threat operators stealing customer information and password vault data that was only partially encrypted. The enterprise has now gone on record to state how the malicious actors carried out the attack.
A multi-layered attack campaign in action
LastPass explained that hackers had used information stolen during a data breach in August 2022 combined with information from another leak and a remote code execution (RCE) vulnerability to plant a keylogger on a computer belonging to one of the firm’s senior DevOps engineers.
In its recent statement, LastPass commented that the second coordinated attack employed the stolen data obtained in the initial breach to achieve access to the enterprise’s Amazon S3 buckets.
The buckets were encrypted, with only four of LastPass’s DevOps engineers possessing access to the decryptors. Not surprisingly, this led the threat actors behind the campaign to target one of the four engineers. The hackers were ultimately successful in their attempts and managed to install a keylogger on the LastPass employee’s computer by exploiting a vulnerability present in third-party media software on the engineer’s machine, resulting in the data breach.
“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault. The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”
Legitimate credentials obscured the threat
As the attackers employed legitimate credentials in their malicious activities, it obscured the threat and made it more difficult for investigators at LastPass to detect them. As a result, the hackers were allowed to access and went on to steal sensitive data from the company’s cloud storage servers during a two-month period from August 12 to October 26 2022.
Ultimately, LastPass spotted the anomalous behaviour thanks to GuardDuty Alerts during the threat actor’s attempts to use cloud-based Identity and Access Management roles to conduct unauthorised activity.
The attackers accessed an extensive array of customer data during the data breach. While information varies depending on the customer, examples include multifactor authentication seeds and application programming interface (API) integration secrets, as well as split knowledge component keys belonging to the company’s federated business customers.
Cloud-based development, on-demand, and source code repositories were also accessed, along with internal scripts from these repositories containing LastPass certificates and secrets. Internal documentation involving technical information was also accessed, describing DevOps secrets and cloud-based backups, among other data types.
The enterprise states that it has since updated its security stance, including the rotation of authentication tokens and sensitive credentials, while adding further logging and alerting, and bringing stricter policies for data security in order to prevent a data breach occurring again.
Data breach prevention with encryption
Here at Galaxkey, we believe that encrypting data is the best way of stopping it from getting into the wrong hands and being exposed. We’ve created a state-of-the-art encryption platform that allows organisations to protect data seamlessly and ensure only the correct people can access it. You can get a demonstration to see just how easy it is to prevent data breaches with our technology.