LastPass sustains a second data breach.

Password manager LastPass disclosed a second breach of their systems on Monday. A threat actor leveraged information from an August breach to target the home computer of a senior employee. In what the company has called a “coordinated second attack,” the company’s Amazon AWS cloud storage servers were accessed and data were stolen, Bleeping Computer wrote Monday.

Leveraging available LastPass data.

LastPass disclosed that the 2022 breach ended on August 12, when the threat actor “pivoted from the first incident,” the company shares, “but was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment spanning from August 12, 2022 to October 26, 2022.” Naked Security shares that the password manager notes that this second incident saw the threat actor take advantage of data made available in the first breach before the systems were reset, “to enumerate and ultimately exfiltrate data from the cloud storage resources.”

Accessing the network via an employee’s keylogger.

LastPass stressed in its disclosure that the data from the first attack required decryption keys that were not available to the hackers, which is why this threat actor leveraged the stolen data to target “one of the four DevOps engineers who had access to the decryption keys needed to access the cloud storage service.” The company says that the employee’s home computer was targeted via a vulnerable third-party software that allowed for remote execution and the implementation of a keylogger. The keylogger eventually gave way to the engineer’s master password, after MFA authenticated, for the corporate vault. “The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups,” recounted LastPass.

Dror Liwer, co-founder of Coro, notes the importance of protected company devices to prevent situations like these:

“The concept of personal, home, or corporate device represents an outdated way of thinking about security. Any device used to access any company data, and that includes email, should be protected. The issue of course is that employees are reluctant to put corporate mandated security tools on their private devices. The right policy must be about access control: Devices that are not protected, or that do not comply with company guidelines for security posture should simply not be allowed access. It sounds draconian – but it gives the employee the option to either use their private device with company issued security tools, or corporate device only.”

Sharon Nachshony, Security Researcher at Silverfort, advises against quick judgment, and for a potential additional layer of MFA:

“Given the number of people who rely on LastPass it’s easy to pass quick judgment on back-to-back incidents, however, what this really shows is the difficulty of detecting attacks that use seemingly legitimate, yet stolen, credentials. By obtaining these credentials, the threat actor was able to masquerade as a highly trusted user, giving them the freedom to pivot into the cloud storage environment. 

"The corporate vaults holding privileged credentials often become a single point of failure. Given enough reconnaissance time a motivated attacker will try to understand how to compromise such vaults because, once they have such credentials, it’s like having a VIP pass to corporate resources. In the case of this attack, an additional layer of MFA to authenticate into the cloud storage environment may have provided additional protection.”

LastPass’ response to handling the incident.

The Verge reports that the company has disclosed  all the classes of data accessed in both breaches and has offered a PDF with more information about last year’s incidents. It’s also issued security notes for users of Free, Premium, and Families accounts, as well as a note for business administrators. Interesting to note is LastPass’ decision to add <meta name="robots" content="noindex"> HTML tags to the support bulletins, Bleeping Computer notes, which prevents them from being indexed by search engines.

Industry perspectives on the implications of the LastPass incidents.

According to Avishai Avivi, CISO at SafeBreach, good password management practices are a must, whether or not you’re implementing password managers:

 “Password Managers, especially popular ones like LastPass, are a very appealing target for malicious actors. We commend LastPass for publicly disclosing this latest incident and issuing an excellent and thorough blog with recommendations to LastPass administrators. We wouldn’t necessarily recommend that companies look to migrate away from LastPass. As is usually the case, a security tool is only as good as how well it is implemented. In our current hyper-connected world, the use of a password manager is crucial.

 "That does not mean you can reuse the same password for multiple sites, just because you store these passwords in a secure vault. You should also practice good password hygiene when protecting your password manager. We also recommend that end users enable multi-factor authentication (MFA) wherever possible. From the reports, it seems that LastPass is proactively monitoring its systems, and is working to help its customers refresh the security of their password management. And while the LastPass blog is written with LastPass customers in mind, the recommendations they make are applicable to all password managers. The fact that LastPass is the only password manager vendor that publicly disclosed an incident, does not mean that other password manager vendors have not been attacked, or breached.”

Torsten George, VP, Corporate & Product Marketing at Absolute Software, notes the importance of managing cyber risk within your own infrastructure:

"The admission of a second successful data breach of password management software firm LastPass by exploiting a DevOps engineer’s personal computer illustrates how vital it is for security practitioners to review the entire cyber-attack lifecycle to gain a full grasp of the areas that need to be addressed as part of an in-depth defense approach. Unfortunately, media coverage of mega breaches (e.g., SolarWinds, Capital One) often puts a spotlight on the tail end of the attack chain, focusing on the exfiltration points rather than how the threat actor got there.

"Organizations must therefore have the visibility required and security controls in place to ensure that their endpoints remain secure. Establishing policies for proper usage is no longer sufficient. Knowing the number of devices that contain sensitive information for example, as well as ensuring the security applications on those devices are self-healing, can enable IT and security professionals to mitigate the risk of compromise substantially."