LastPass announced on Monday that the same threat actor that gained access to partially encrypted login data also hacked an employee's home computer and accessed a decrypted vault accessible to only a few of company developers.
Despite the fact that the initial intrusion into LastPass stopped on August 12, the major password manager reported that the threat actor "was actively engaged in a fresh set of reconnaissance, enumeration, and exfiltration activity" from August 12 to August 26.
Unknown threat actor gained access to the contents of a LastPass data vault by stealing valid credentials from a senior DevOps engineer.
The vault provided access to a shared cloud-storage environment that housed the encryption keys for Amazon S3 bucket-stored customer vault backups.
LastPass authorities wrote: "This was achieved by accessing the DevOps engineer's home computer and using a vulnerable third-party media software package, which permitted remote code execution and allowed the threat actor to implant keylogger malware."
After the employee authenticated with MFA, the threat actor was able to record the employee's master password as it was input and obtain access to the DevOps engineer's LastPass corporate vault.
The compromised DevOps engineer was one of four LastPass employees with access to the company's vault.
After in possession of the decrypted vault, the threat actor exported the entries, which included "the decryption keys required to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some crucial database backups."
LastPass users: Your information and password vault data have been compromised.
Monday's disclosure comes two months after LastPass delivered a prior bombshell update in which it was revealed for the first time that, contrary to previous statements, attackers had gained encrypted and plaintext client vault data.
The threat actor had also gained a cloud storage access key and dual storage container decryption keys, enabling the copying of client vault backup data from an encrypted storage container, according to LastPass.
The backup data included both unencrypted data, such as website URLs, and encrypted data, such as website usernames and passwords, secure notes, and form-filled data encrypted using 256-bit AES.
The additional information clarifies how the threat actor acquired the S3 encryption keys.
Monday's report stated that the methods, techniques, and processes utilized in the first event were distinct from those used in the second, and that as a result, it was first unclear to investigators that the two incidents were connected.
During the second event, the threat actor used information gathered from the first incident to enumerate and exfiltrate the S3 buckets' data.
"Alerting and logging were enabled during these situations, but did not instantly identify the abnormal behavior that became more apparent in retrospect," LastPass officials stated.
"Specifically, the threat actor used genuine credentials obtained from a senior DevOps engineer to access a shared cloud-storage environment, making it first difficult for investigators to distinguish between threat actor activity and continued legitimate activity."
Amazon's warnings of aberrant behavior alerted LastPass to the second incident, in which a threat actor attempted to exploit Cloud Identity and Access Management (IAM) roles to undertake unauthorized activity.
Comments