CTI Flash Briefing: LastPass suffers 2nd Security Incident
Overview
LastPass reported a 2nd security incident hitting their systems after the initial attack and disclosure in August 2022. From their security incident update blog post on support.lastpass.com:
The two incidents that we disclosed last year affected LastPass and our customers. Neither incident was caused by any LastPass product defect or unauthorized access to — or abuse of — production systems. Rather, the threat actor exploited a vulnerability in third-party software, bypassed existing controls, and eventually accessed non-production development and backup storage environments.
We have shared technical information, Indicators of Compromise (IOCs), and threat actor tactics, techniques, and procedures (TTPs) with law enforcement and our threat intelligence and forensic partners. To date, however, the identity of the threat actor and their motivation remains unknown. There has been no contact or demands made, and there has been no detected credible underground activity indicating that the threat actor is actively engaged in marketing or selling any information obtained during either incident.
Full technical details of the processes followed by the attackers have been detailed by LastPass in the security disclosure posting, the detailed report for the first incident and now for the second incident as well.
Second Incident Details
The attackers used the information exposed during the first incident to pivot into a new hack that persisted from mid-August 2022 at the “completion” of the first incident through the end of October 2022, specifically October 26th as reported in their incident report. This was a targeted attack on their cloud infrastructure and cloud storage resources.
Even though LastPass credentials were stolen in the first attack, those credentials were encrypted, and the attackers were not able to procure the decryption keys. Those keys were stored in only two places, a segregated orchestration platform, and a set of shared folders in a LastPass vault used by the DevOps engineers to perform their administrative IT functions. The second attack targeted one of the four DevOps engineers who had access to that manager vault so they could steal the decryption keys needed to access the cloud resources.
This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.
The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.
Further investigation has been done on the third-party media software and per the ArsTechnica story, it has been leaked on condition of anonymity to be Plex, which as noted, suffered its own security incident within two weeks of the initial LastPass compromise:
According to a person briefed on a private report from LastPass who spoke on the condition of anonymity, the media software package that was exploited on the employee’s home computer was Plex. Interestingly, Plex reported its own network intrusion on August 24, just 12 days after the second incident commenced. The breach allowed the threat actor to access a proprietary database and make off with password data, usernames, and emails belonging to some of its 30 million customers. Plex is a major provider of media streaming services that allow users to stream movies and audio, play games, and access their own content hosted on home or on-premises media servers.
Lessons Learned
1. Bring Your Own Devices (BYOD) is always a security risk to any organization. No matter the size of the company, individuals at home on personal devices creates a certain level of security risk, as their home networks and devices usually do not have the same level of protections put in place for most corporate owned devices. This needs to be a choice made on a case-by-case basis for your organization against the resources required to acquire, maintain, and support both the hardware and employee technical issues that arise both from corporate and personal devices.
2. Network segmentation is a big lift but will always make the overall security posture of the company network more secure if it is done correctly. LastPass was able to destroy the affected development environment and rebuild it from scratch to ensure containment and eradication efforts were completed due to proper network segmentation.
3. Secrets need to be stored in a standardized way, in a well-protected system, for several reasons. First, they need to be protected as they are the major point of focus for any attacker. Second, the ability to rotate secrets should be a standard practice for any organization. This can be useful in the event of an attack or during normal administrative maintenance. If secrets are not stored in a central system, rotating them becomes arduous and insecure. Third, this allows for controls to be placed on the usage of those secrets and auditing to be done after the fact for any reason.
4. Monitoring and auditing controls need to be in place for all IT systems, whether on-premises or in the cloud. This is especially true for privileged account activity.
5. Security Operations Center (SOC) systems for monitoring, alerting, and auditing also need to be in place and configured properly. In the case of any event, but especially a security incident, this allows the security team and third-party incident response teams the ability to follow the trail of the attacker as they progressed through systems during the attack. Without this capability, especially on cloud resources where it tends to be more of an afterthought, from troubleshooting general IT issues to tracking security incidents becomes more and more of a guessing game for those tasked with finding out the truth. Without monitoring and auditing, you will never be able to truthfully answer an important question when handing an incident, which is “can we prove the attackers no longer have access to any of our systems?”.
6. Backups of all systems are necessary, going back as far as possible, because many incidents are not discovered until after the attackers have had access for a longer period of time than many people think. Those backups also need to be tested regularly, through tabletop exercises between security teams and your IT teams, or with a regular testing schedule. This ensures the process works, not just backups but also the restore/recovery process when it is needed for full system restoration after an incident.
7. Lastly, while it was not a major factor in this security incident as systems were already compromised, Multi-Factor Authentication (MFA) is a key resource for protecting systems. If you have a system for secret storage as discussed above combined with MFA everywhere, your systems have multiple layers of separate protection in place to stop unauthorized access.
Conclusion
This most recent breach gives us many lessons in protecting our organization’s systems from the potential harm of an attack. The details shared by LastPass are an excellent look into how the attack progressed and they deserve high praise for sharing with the community instead of keeping the process secret. This allows everyone a chance to learn how real attacks happen and see what they can do to better protect their own organizations moving forward. If you have any questions related to this incident or would like to discuss any of the lessons learned for opportunities to mature your security processes, please reach out to Hunter Strategy, we would love to discuss those options with you!
Contact Us
contact@hunterstrategy.net
