LastPass, a popular password manager, has released new information regarding a coordinated attack that resulted in the theft of data from Amazon AWS cloud storage servers for over two months. The company initially disclosed a breach in December, where threat actors stole partially encrypted password vault data and customer information. Now, the company has provided more insight into how the attackers carried out the attack.
LastPass states that the hackers used information stolen in an August breach, data from another data breach, and a remote code execution vulnerability to install a keylogger on a senior DevOps engineer's computer. This second coordinated attack exploited the stolen data from the first breach to gain access to the company's encrypted Amazon S3 buckets.
Hackers Targeted One of the LastPass DevOps
Since only four LastPass DevOps engineers had access to decryption keys, the threat actor targeted one of the engineers. The hackers successfully installed a keylogger on the employee's device by exploiting a remote code execution vulnerability in a third-party media software package. With this method, the threat actor was able to capture the employee's master password as it was entered and gain access to the DevOps engineer's LastPass corporate vault.
Once inside the corporate vault, the hackers exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.
LastPass has revealed that the use of valid credentials made it challenging for the company's investigators to detect the threat actor's activity, which allowed the hackers to access and steal data for over two months, between August 12, 2022, to October 26, 2022.
LastPass Ultimately Detected the Anomalous Behavior
LastPass ultimately detected the anomalous behavior through AWS GuardDuty Alerts when the threat actor attempted to use Cloud Identity and Access Management (IAM) roles to perform the unauthorized activity.
The company says they have since updated their security posture, including rotating sensitive credentials and authentication keys/tokens, revoking certificates, adding additional logging and alerting, and enforcing stricter security policies.
As part of today's disclosure, LastPass has disclosed exactly what customer information was stolen during the attack.
The stolen data varies widely depending on the specific customer, but it includes multifactor authentication (MFA) seeds, MFA API integration secrets, and the split knowledge component (“K2”) key for Federated business customers. This information can be used to gain unauthorized access to user accounts and potentially compromise sensitive information.
LastPass has released a complete list of the stolen data, which can be found on their support page.
The LastPass coordinated attack highlights the importance of maintaining robust security measures to protect sensitive data. As a user, it's essential to use unique passwords for each account, utilize multi-factor authentication whenever possible, and monitor your accounts for any unauthorized activity. Companies must also implement stringent security measures to prevent such attacks and detect them as soon as possible to minimize damage.