Already clever of a hack that put partially encrypted login data in the hands of an actor, LastPass said Monday that the same attacker hacked into an employee’s home computer and gained access to an unencrypted vault available to only a few of the company’s developers.
Although the initial interference with LastPass ended on Aug. 12, officials with the lead password manager said the threat actor “actively engaged in a new series of reconnaissance, enumeration, and hacking activities” from Aug. 12 to Aug. 26. An unknown threat actor managed to steal valid credentials from a senior DevOps engineer and gain access to the contents of LastPass’ data vault. Among other things, it granted the vault access to a shared cloud storage environment containing the encryption keys for customer vault backups stored in Amazon S3 buckets.
Another bomb drops
“This was achieved by targeting a DevOps engineer’s home computer and exploiting a third-party media software package, which enabled remote code execution capability and allowed the attacking actor to implant keylogger malware,” LastPass officials wrote. “The threat actor was able to obtain the employee’s master password as it was entered, after authenticating the employee with MFA, and gain access to the DevOps engineer’s corporate LastPass vault.”
The hacked DevOps engineer was one of only four LastPass employees with access to the company’s vault. Once in possession of the decrypted store, the threat actor exported the entries, including “the decryption keys needed to access AWS S3 LastPass production backups, other cloud-based storage resources, and some critical database backups”.
Monday’s update comes two months after LastPass released a previous bombshell update that first said that, contrary to previous assertions, attackers obtained customer vaults containing encrypted and explicit data. LastPass said then that the attacker had also obtained the cloud storage access key and dual storage container decryption keys, allowing customer vault backup data to be copied from the encrypted storage container.
The backup data contained unencrypted data, such as website URLs, as well as website usernames and passwords, secure notes, and form-filled data, which had an additional layer of encryption using 256-bit AES. New details explain how the threat actor obtained S3 encryption keys.
Monday’s update said the tactics, techniques, and procedures used in the first incident were different from those used in the second, and as a result, it was not clear to investigators at first that the two were directly related. During the second incident, the threat actor used the information obtained during the first incident to enumerate and extract the data stored in S3 buckets.
“Alert and logging were enabled during these events, but did not immediately indicate anomalous behavior that became more apparent later during the investigation,” LastPass officials wrote. Specifically, the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to gain access to a shared cloud storage environment, which initially made it difficult for investigators to distinguish between threat actor activity and ongoing legitimate activity.
LastPass became aware of the second incident of Amazon anomalous behavior warnings when the threat actor attempted to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.
According to a person briefed on LastPass’ private report who spoke on condition of anonymity, the exploited media software package on the employee’s home computer was Plex. Interestingly, Plex reported that its own network was hacked on August 24, just 12 days after the second incident began. The hack allowed the threatened actor to access a private database and steal password data, usernames, and emails of some of its 30 million customers. Plex is a major provider of media streaming services that allow users to stream movies, audio, play games, and access their own content hosted on home or local media servers.
It’s not clear if the Plex breach had anything to do with LastPass’ intrusions. LastPass and Plex representatives did not respond to emails seeking comment for this story.
The threat agent behind the LastPass hack has proven particularly resourceful, and revelations that it successfully exploited a software vulnerability on an employee’s home computer reinforces that view. As advised by Ars in December, all LastPass users should change master passwords and all passwords stored in their vaults. While it is not clear if the actor has access to either, the precautions are warranted.
Updated Wednesday, March 1, 9:06 a.m.: A day after this post was published, a Plex representative wrote in an email: “We have not been contacted by LastPass, so we cannot speak on the specifics of their incident. We take security issues very seriously, and work frequently with third parties that report issues.” Big or small using our guidelines and bug bounty program.When vulnerabilities are reported after a responsible disclosure, we deal with them quickly and thoroughly.We’ve never had a critical vulnerability for which a patched version hasn’t already been published.And when we encounter incidents of our own, we always choose Get it delivered quickly.We’re not aware of any unpatched vulnerabilities, and as always, we’re inviting people to disclose issues to us by following the instructions linked above.Looking at recent articles about the LastPass incident, although we’re not aware of any unpatched vulnerabilities, we’ve reached out With LastPass to be sure.”