At a glance.
- LastPass data breach exposes user data.
- Google takes action against commercial spyware vendor.
- Staffordshire water supply service breached.
- USA TODAY shares searchable medical data breach database.
LastPass discloses a breach.
Freemium password manager LastPass has disclosed it suffered a cyberattack when intruders breached its cloud storage using information previously stolen in an August security incident. Bleeping Computer reports that the company has also confirmed the attackers accessed customer data stored in the compromised storage service. "We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo,” the company stated in an announcement on its website. Still. LastPass assured customers that their passwords were not exposed, as they “remain safely encrypted due to LastPass's Zero Knowledge architecture."
As the Guardian explains, in the August security incident, LastPass determined that some of its source code and technical information was stolen when threat actors gained access to a third-party storage service. An investigation determined the attacker had taken portions of source code and some proprietary technical information, but indicated the risk to the app was limited because its production environment was physically separate from the development environment. “Developers do not have the ability to push source code from the development environment into production,” the company said at the time. However, this new disclosure indicates the initial breach was more intrusive than originally anticipated. “We are working diligently to understand the scope of the incident and identify what specific information has been accessed,” CEO Karim Toubba stated. “In the meantime, we can confirm that LastPass products and services remain fully functional.”
Michael White, Technical Director and Principal Architect at Synopsys Software Integrity Group, considers the implications if, as speculation holds, the cause of the breach lay in a compromised development system:
“If the root cause is indeed confirmed to be a compromised development system, then this latest episode is a continuation of an attack vector we have seen with the high profile ‘Sun Burst’ attack which targeted SolarWinds and several others.
"Once compromised, access to a development or test system can give away the ‘keys to the kingdom’ which allow an attacker lateral movement towards critical sensitive information, or permit an attacker to interfere in the software build process to introduce backdoors which make their way into production. Protecting software development environments, again and again, is proven to be of absolute importance to prevent these scenarios.
"Most organizations know very well the type of controls that they should have in place to protect production systems. Yet many overlook such protections for software development environments – including toolchains such as build servers, source code repositories, and test instances – perhaps because these are not viewed as important as customer facing production services, or are excluded from the scope of compliance with various existing standards because development environments themselves do not process customer data directly.
"When we talk about software supply chain attacks – protecting the internal software delivery process and infrastructure itself is a critical element of this for many organizations. Guidelines have recently been released such as SLSA, NIST 800-161, and others – which highlight how an organization can implement effective controls throughout the lifecycle – but many of the key concepts are actually quite familiar to seasoned information security professionals, which is to adopt an adversarial mindset and implement appropriate controls to mitigate identified risks. Most organizations will already operate a secure development lifecycle, and so the topic of protecting the development environments themselves is a natural addition to the scope of that program if it is not already.”
Added, 8:30 PM, December 1st, 2022.
Amit Shaked, CEO and co-founder of Laminar, notes that security issues arise even for capable and well-prepared organizations:
“This incident shows that even companies that specialize in security are still learning how to best protect and monitor data residing in third-party cloud applications. This education gap is leading to the compromise of important customer and company data. Therefore, it is essential for data and security teams across all industries to think beyond their on-premises infrastructure when asking: where is our sensitive data and is it protected?
"Scattered data stores are an extremely common problem as companies transition into cloud-based environments, increasing overall organizational security risk. In fact, the presence of unknown or 'shadow' data is increasing across the board and is now a top concern for 82% of data security professionals. To safeguard against data leaks like today’s and have full visibility into hidden data stores, organizations must have complete observability of their cloud data. It is critical to know where it resides, who is accessing it and what its security posture is."
Google takes action against commercial spyware vendor.
Google's Threat Analysis Group (TAG) announced yesterday it’s taking action to block a commercial spyware network that allegedly targeted desktop computers. Evidence found in the source code indicates the exploitation framework, dubbed Heliconia, was developed by Spanish tech firm Variston IT and enables spyware to be installed on targeted devices. A series of anonymous submissions to Google's Chrome bug reporting program indicated exploitable vulnerabilities in Chrome, Windows Defender, and Firefox that could be abused to deploy spyware on target devices, including Windows and Linux computers. TAG researchers told WIRED, “The findings indicate that we have many small players within the spyware industry, but with strong capabilities related to zero days.” Variston IT director Ralf Wegner told TechCrunch that the company wasn’t aware of Google’s research and could not validate its findings, but “would be surprised if such [sic] item was found in the wild.” Google says that although it has not seen the vulnerabilities actively exploited in the wild, the bugs were likely utilized as zero-days and later as n-day bugs after patches were made available by Google, Microsoft ,and Mozilla in early 2021 and 2022. In a blog post detailing its findings, TAG states, “These abuses represent a serious risk to online safety which is why Google and TAG will continue to take action against, and publish research about, the commercial spyware industry.”
Staffordshire water supply service breached.
UK water supply company South Staffs Water has disclosed that parent company South Staffordshire PL suffered a cyberattack that compromised customer data. Though the incident was detected in July, South Staffs Water waited to inform the public until now after receiving confirmation that customer data were impacted. The company is sending notification letters to impacted individuals, and customer service and billing portals are still operating as usual.
Edward Liebig, Global Director of Cyber-Ecosystem at Hexagon Asset Lifecycle Intelligence, looks at the incident from a risk-management perspective:
“In evaluating risk, there needs to be a plan that includes controls on areas of temporal impact such as data sensitivity and privacy, connectivity, supply chain, criticality, safety, etc. These controls should, in a best case, prevent adverse actions on the data. I applaud South Staffordshire Water in this case – they have been stepping through the forensic analysis for the Clop ransomware attack and are prudently divulging what they know, when they know it. In incident response, jumping to conclusions or making assumptions is bad for business and can be a dangerous practice.
"The best incident response is prevention of the incident in the first place. Identification of the temporal risks and evaluation of the security controls inline with the attack or exploitation vectors is no simple task but will highlight any areas for improvement necessary. This all starts with knowing your environment and assets and vulnerabilities.”
USA TODAY shares searchable medical data breach database.
After conducting an analysis of data submitted to the US Department of Health and Human Services (HHS), USA TODAY has found that the medical records of over 40 million Americans have been stolen or exposed this year due to security vulnerabilities in electronic health care systems. The numbers also show exposures have been increasing exponentially over time, as from 2010 to 2014 nearly 50 million people were impacted by medical data theft, and the number quadrupled over the next five years. Using the data collected from HHS, USA TODAY has created a database of health care data breaches going back to 2009. Updated daily, the database allows users to search by company name to identify breaches that might have compromised their healthcare details.