LastPass Hackers

Using information from the first incident, information from a third-party data breach and a flaw in a third-party media software package, the threat actor targeted LastPass to carry out a second “coordinated attack.”

In a coordinated attack, this campaign attacked the LastPass employee, its resources, and its infrastructure.

“Our investigation has revealed that the threat actor pivoted from the first incident, which ended on August 12, 2022, but was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment spanning from August 12, 2022, to October 26, 2022”, LastPass reports.

Threat Actor Gained Access to a Shared Cloud-Storage Environment

LastPass stated that the threat actor was able to use legitimate credentials obtained from a senior DevOps engineer to access a shared cloud-storage environment.

The threat actor needs to gain AWS Access Keys and the LastPass-generated decryption keys in order to access the cloud-based storage resources, specifically S3 buckets that are protected using either AWS S3-SSE encryption, AWS S3-KMS encryption, or AWS S3-SSE-C encryption. 

Backups of LastPass user data and data from encrypted vaults are stored in the encrypted cloud-based storage services.

The threat actor targeted one of the four LastPass DevOps engineers because they were the only ones with access to the decryption keys.

 In the end, the hackers were able to successfully install a keylogger on the employee’s device by taking advantage of a remote code execution flaw in a third-party media software package.

“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault”, LastPass.

“The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups”.

As the threat actor attempted to use Cloud Identity and Access Management (IAM) roles to conduct illegal activities, LastPass eventually discovered the odd behavior through AWS GuardDuty Alerts.

Data Accessed in Incident 1:

  • 14 of 200 software repositories were on-demand, cloud-based development, and source code repositories.
  • Internal repositories scripts containing LastPass secrets and certificates.
  • Internal documentation – technical information describing the operation of the development environment.

Data Accessed in Incident 2:

  • DevOps Secrets – restricted secrets used to gain access to our cloud-based backup storage.
  • Cloud backup storage – contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data. Except for URLs, file paths to installed LastPass Windows or macOS software, and certain use cases involving email addresses, all sensitive customer vault data was encrypted using our Zero knowledge model and can only be decrypted with a unique encryption key derived from each user’s master password. End user master passwords, as a reminder, are never known to LastPass and are never stored or maintained by LastPass; thus, they were not included in the exfiltrated data.
  • LastPass MFA/Federation Database Backup – included copies of LastPass Authenticator seeds, phone numbers used for the MFA backup option (if enabled), and a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). Although this database was encrypted, the separately stored decryption key was among the secret information stolen by the threat actor during the second activity.

The company assisted the DevOps Engineer with hardening the security of their home network and personal resources. Also, LastPass’ AWS S3 cloud-based storage resources were examined, and further S3 hardening measures were implemented.

Since then, according to the company, they have changed their overall security by revoking certificates, rotating sensitive credentials and authentication keys/tokens, adding more logging and alerting, and implementing tougher security standards.

Network Security Checklist – Download Free E-Book

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.