LastPass DevOps Engineer Targeted for Cloud Decryption Keys in Latest Breach Revelation

  /     /     /  
Publicated : 23/11/2024   Category : security


LastPass DevOps Engineer Targeted for Cloud Decryption Keys in Latest Breach Revelation


The adversaries obtained a decryption key to a LastPass database containing multifactor authentication and federation information as well as customer vault data, company says.



The threat actors who broke into password management firm LastPasss development environment last August used information gathered from that incident for a follow-on attack, the company confirmed. The cyberattackers were able to access and exfiltrate data from an encrypted cloud storage service housing a backup of LastPass customer and vault data.
To pull off the heist, the adversaries targeted a home computer belonging to one of four DevOps engineers at LastPass who had the decryption keys needed to access a broader set of LastPass customer and encrypted vault data housed in encrypted Amazon S3 cloud storage buckets. 
The engineers machine had a vulnerable third-party media player that the attacker exploited to gain access to the computer and install a keylogger on it. The malware eventually enabled the threat actor to gain access to the DevOps engineers corporate vault and to export the decryption keys needed to access the AWS S3 LastPass production backups, LastPass said.
The DevOps engineers credentials and keys allowed the threat actor to access a broad range of encrypted and unencrypted data — including password vault data — housed in the AWS S3 storage environment, LastPass announced this week. The backup data included configuration information, API and third-party integration secrets, customer metadata, and backups of all customer vault data. However, LastPass described most of the sensitive data in the customer vaults as encrypted and readable only with a unique decryption key derived from each end users master passwords. 
As a reminder, end user master passwords are never known to LastPass and are not stored or maintained by LastPass — therefore, they were not included in the exfiltrated data,
the company said
.
In addition, the attacker also accessed a backup of a database containing LastPass multifactor authentication (MFA) and federation information. The database included MFA seeds assigned to users when they first registered their MFA authenticator with LastPass, hashes of customer generated one-time passwords (OTPs), and so-called split knowledge components or K2 keys associated with business customers. The secrets that business customers use to integrate third-party MFA vendors such as Duo Security with LastPass were also affected. 
This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor, LastPass said, which has offered up a complete
description of all affected data
.
The update sent out Feb. 27 is the latest twist in a breach tale that has been slowly growing in scope since last August, when LastPass disclosed that it had spotted unusual activity on its network. At the time, the password management firm said threat actors had broken into its cloud development environment via a compromised software engineers laptop and stolen some source code and other proprietary technical information. In updates in November and December, LastPass said the same threat actors had used information obtained in the August incident to access and decrypt a limited number of storage volumes
within the cloud-based storage service
.
LastPass most recent update is unlikely to win the company any new fans in the security industry, especially because of how the scope of the incident has kept changing with each disclosure. When it first reported the breach last August, company CEO Karim Toubba described it as limited to the companys development environment and claimed the company had achieved a state of containment. In its subsequent updates, the company reassured users about the separation between its development and production environments and why their information was therefore safe. With this weeks announcement, LastPass said the attack on its cloud storage environment had overlapped with the attack on the development environment.
The company now has a history of breaches and, depending on how you count, this is the third in less than a year, says Eric Noonan, CEO of CyberSheath. At a tactical level, its hard to know what they might have done better, because information about the breaches have been relatively scant, he says. In the bigger scheme of things this is what CISA, and other accountable government agencies are talking about when they say product companies have a responsibility to build security and safety into their products prior to unleashing them on the public, Noonan says.
The company has advocated that
business customers
and
individual customers
review their master passwords and change them if necessary. Users who have followed the companys previous recommendations for setting a master password should be safe from brute-force guessing methods.
The attack is further proof of how inextricably linked enterprise security has become with the security of the networks and devices that employees use at home, security experts say.
CISOs must understand the implications of a personal device compromise, a home network being wide open, or personal compromise impacting the company, says Chris Pierson, CEO and founder of BlackCloak. The risks are no longer theoretical and never have been, Pierson says. Because corporate environments have become so well fortified, cybercriminals are moving to the lowest-hanging fruit, which are often are the personal devices of key employees and executives, he says.
A
survey that BlackCloak conducted
recently found that the personal desktops, mobile, and tablet computing devices that key corporate executives use often are vulnerable and lack basic protections. BlackCloaks data showed, for instance, that 76% of executives personal devices leak data actively, 87% of executives personal devices have no security installed on them, and 23% of executives have open ports at home. The survey showed that 87% of executives use passwords that are currently leaked on the Dark Web, 54% do not use a password manager, and social media sites and data brokers have a lot of information that attackers can use to social engineer them.
Attacks like the one LastPass disclosed this week highlight why security teams need to focus more on protecting employees from
account takeover attacks
wherever they are and whatever device they might be using, says Avi Turgeman, CEO and co-founder of IronVest. 
They need to take a more holistic approach to protecting [employees against] all critical vulnerabilities, Turgeman tells Dark Reading. This includes implementing measures such as identity authentication, access management, post-login protection, 2FA/MFA protection, and phishing. Eighty percent of data breaches are a result of compromised credentials, he notes.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
LastPass DevOps Engineer Targeted for Cloud Decryption Keys in Latest Breach Revelation