LastPass has shared more details about the December data breach that rocked the industry, and the attack reads like something out of a spy movie.
In a security advisory (opens in a new tab), the password manager reported two supposedly unrelated incidents that were actually part of a larger campaign. He also claimed that the threat actors were particularly targeting one of the 4 DevOps engineers, further highlighting the sophistication of the entire campaign.
LastPass' investigation concluded that there were two incidents: one reported in August XNUMX and one reported in December.
Access S3 buckets
The threat actors used information gleaned from the first attack, as well as information from an entirely separate cybersecurity breach, to identify the company's encrypted Amazon S3 cloud storage repositories.
But to access the buckets, they needed decryption keys, which only 4 LastPass DevOps engineers had. So, they turned to one of them, addressing a hidden code execution vulnerability found in a bundle of third-party multimedia software installed on their private computer. This allowed them to install a keylogger that helped bypass security protections and more.
"The threat actor was able to catch the employee's teacher access key as entered, once the employee authenticated with MFA, and gained access to the employee's corporate LastPass dome. The DevOps engineer," the company explained. .
"The threat actor then exported the company's native dome entries and shared folder contents, which contained secure notes encrypted with the passwords and decryption needed to access production backups. AWS S3 LastPass, others cloud-based storage resources and certain related critical database backups".
Because the attackers used valid login credentials, the company's cybersecurity team did not identify the activity as malicious. Consequently, the threat actor hid in the company's storage servers for a couple of months.
Now, after the festival, LastPass said it updated its security posture and began spinning out proprietary credentials and authentication keys and tokens. In addition to this, it periodically voids certificates, requires auxiliary logging and alarms, and has started to enforce stricter security policies.
Via: BleepingComputer (opens in a new tab)