Already smarting from a breach that put partially encrypted login data in the hands of a threat actor, LastPass said Monday that the same attacker hacked an employee’s home computer and obtained a decryption vault that was only available to a handful of company developers .
Although an initial intrusion into LastPass ended on August 12, officials told the main password manager that the threat actor “actively engaged in a new set of exploration, enumeration and exfiltration activities” from August 12 to August 26 . an unknown threat actor was able to steal valid credentials from a senior DevOps engineer and gain access to the contents of the LastPass data vault. Among other things, Vault provided access to a shared cloud storage environment containing the encryption keys for customers’ Vault backups stored in Amazon S3 buckets.
Another bomb drops
“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution and allowed the threat actor to implant keylogger malware,” LastPass officials wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s corporate LastPass vault.”
The hacked DevOps engineer was one of four LastPass employees who had access to the corporate vault. Once in possession of the decrypted vault, the threat actor exported the entries, including the “decryption keys needed to access AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”
Monday’s update comes two months after LastPass previously released a bombshell update that said for the first time, contrary to previous assertions, the attackers obtained customer vault data containing both encrypted and plaintext data. LastPass then said the threat actor also obtained the cloud storage access key and decryption keys of a dual storage container, which allowed the customer’s vault backup data to be copied from the encrypted storage container.
The backup data included unencrypted data, such as website URLs, as well as website usernames and passwords, secure notes, and form-fill data, with an additional layer of encryption using 256-bit AES. The new data explains how the threat actor obtained the S3 encryption keys.
Monday’s update said the tactics, techniques and procedures used in the first incident were different from those used in the second and, as a result, it was not initially clear to investigators that the two were directly related head. During the second incident, the threat actor used information obtained during the first incident to enumerate and unfilter the data stored in the S3 buckets.
“Alerts and logging were enabled during these events, but did not immediately reflect the anomalous behavior that became more apparent during the investigation,” LastPass officials wrote. “Specifically, the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to gain access to a shared cloud storage environment, which initially made it difficult for investigators to distinguish between actor activity threats and continued legitimate activity.”
LastPass learned of the second incident from Amazon’s anomalous behavior alerts when the threat actor attempted to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.
According to a person briefed on a private report from LastPass who spoke on condition of anonymity, Plex was the media software package used on the employee’s home computer. Interestingly enough, Plex reported its own network intrusion on August 24, just 12 days after the second incident began. The breach allowed the threat actor to gain access to a proprietary database and details of passwords, usernames and emails belonging to some of its 30 million customers. Plex is a major provider of streaming media services that allows users to stream movies and audio, play games, and access their own content hosted on home or on-premises media servers.
It’s unclear if the Plex breach has anything to do with the LastPass intrusion. LastPass and Plex representatives did not respond to emails seeking comment for this story.
The threat actor behind the LastPass breach has proven to be particularly resourceful, and the revelation that he exploited a software vulnerability on an employee’s home computer further reinforces that perception. As Ars advised in December, all LastPass users should change their master passwords and all passwords stored in their vaults. Although it is unclear whether the threat actor has access to either, the precautions are necessary.