According to LastPass, a worker’s home computer was hacked, and the corporate vault was stolen

LastPass announced on Monday that the same attacker broke into an employee’s home computer and obtained a decrypted vault that was only accessible to a small number of the company’s developers. The company was already reeling from a breach that gave a threat actor access to partially encrypted login data.

The threat actor “was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activity” from August 12 to August 26, according to representatives of the top password manager LastPass, even though the original breach into their system stopped on August 12. Throughout the process, the unidentified threat actor was able to access a LastPass data vault and obtain legitimate credentials from a senior DevOps engineer.

The vault provided access to a shared cloud storage system that housed the encryption keys for customer vault backups kept in Amazon S3 buckets, among other things. LastPass officials wrote, “this was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware.” “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”

According to LastPass, an employee's home computer was hacked and the company  vault was stolen
Credits: US Today News

LastPass claimed that the threat actor also possessed dual storage container decryption keys

One of just four LastPass workers who had access to the company vault was the compromised DevOps engineer. The threat actor exported the entries after gaining access to the encrypted vault, which included the “decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”

The bombshell update that LastPass released two months prior revealed for the first time that, in contrast to earlier claims, the attackers had indeed gotten client vault data comprising both encrypted and unencrypted data. LastPass said at the time that the threat actor also possessed dual storage container decryption keys and a cloud storage access key, enabling the transfer of client vault backup data from the encrypted storage container.

The backup data included both encrypted and unencrypted information, including usernames and passwords for websites, secure notes, and data filled out in forms using 256-bit AES encryption. The updated information clarifies how the threat actor got the S3 encryption keys.

According to Monday’s report, the first event’s tactics, techniques, and processes were distinct from those utilised in the second incident, and as a consequence, it wasn’t first obvious to investigators that the two were connected. The threat actor exploited the first event’s data to enumerate and exfiltrate the data kept in the S3 buckets during the second incident. When the threat actor attempted to exploit Cloud Identity and Access Management (IAM) roles to engage in illegal activities, Amazon alerted LastPass to the second occurrence.

Plex is one of the top providers of media streaming services

Plex was the media software application that was hacked on the employee’s personal computer, according to a source informed on a confidential investigation from LastPass who spoke on the condition of anonymity. It’s interesting to note that on August 24, just 12 days after the second incident started, Plex reported its own network attack. Via the breach, a threat actor was able to get access to a private database and steal usernames, passwords, and email addresses from some of the company’s 30 million clients.

One of the top providers of media streaming services is Plex, which enables users to play games, stream movies and music, and access their own content that is stored on personal or business media servers. It’s unclear whether the LastPass attacks are related in any way to the Plex hack. Emails for response from LastPass and Plex representatives were not returned.

The fact that the threat actor responsible for the LastPass breach was very crafty and was able to effectively exploit a software flaw on an employee’s personal computer only serves to support that opinion. All LastPass users should update their master passwords and any passwords saved in their vaults, as Ars suggested in December. The safeguards are necessary even if it’s unclear whether the threat actor has access to either.