Site icon IT World Canada

Senior LastPass developer’s home computer hacked as part of last year’s data theft; decryption keys stolen

Data Breach Graphic

Image by GOCMEN via GettyImages.ca

Password management provider LastPass has admitted that part of last August’s breach of security controls included hackers compromising the home computer of one of the company’s DevOps engineers to help in data theft.

LastPass, which is owned by GoTo, had previously detailed the attack, which saw a threat actor exfiltrating encrypted backups involving its Central, Pro, join.me, Hamachi, and RemotelyAnywhere products that were stored on Amazon’s cloud storage. Also stolen was an encryption key for a portion of the encrypted backups. Some source code and technical information were also stolen from the company’s development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service. 

This week the company added more information describing the entire attack. The theft from the cloud storage service and source code is what it calls the first incident. There was a second incident involving the DevOps engineer as part of the same attack.

While LastPass was dealing with the first incident, which ended on August 12, 2022, the  attacker pivoted to go after a developer who had access to the decryption keys needed to access the cloud storage service. This attack and data theft went on until October, 2022.

“The second incident saw the threat actor quickly make use of information exfiltrated during the first incident, prior to the reset completed by our teams, to enumerate and ultimately exfiltrate data from the cloud storage resources,” the report says.

“Alerting and logging was enabled during these events, but did not immediately indicate the anomalous behavior that became clearer in retrospect during the investigation. Specifically, the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, which initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity. Ultimately AWS GuardDuty Alerts informed us of anomalous behavior as the threat actor attempted to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.”

The DevOps engineer was one of four who had access to the decryption keys needed to access the cloud storage service.

That person’s home computer was compromised by exploiting a vulnerable third-party media software package, the report says, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with multi-factor authentication, and gain access to the DevOps engineer’s LastPass corporate vault.

“The threat actor then exported the native corporate vault entries and content of shared folders, the report says, “which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”

LastPass says its investigation and incident response to the second incident continues. It includes:

Exit mobile version