LastPass revealed more information on a “coordinated second attack,” where a threat actor accessed and stole data from the Amazon AWS cloud storage servers for over two months.
LastPass disclosed a breach in December where threat actors stole partially encrypted password vault data and customer information.
The company has now disclosed how the threat actors performed this attack, stating that they used information stolen in an August breach, information from another data breach, and a remote code execution vulnerability to install a keylogger on a senior DevOps engineer’s computer.
LastPass says this second coordinated attack used the stolen data from the first breach to gain access to the company’s encrypted Amazon S3 buckets.
As only four LastPass DevOps engineers had access to these decryption keys, the threat actor targeted one of the engineers. Ultimately, the hackers successfully installed a keylogger on the employee’s device by exploiting a remote code execution vulnerability in a third-party media software package.
“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault,” reads a new security advisory published today.
“The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”
The use of valid credentials made it difficult for the company’s investigators to detect the threat actor’s activity, allowing the hacker to access and steal data from LastPass’ cloud storage servers for over two months, between August 12, 2022, to October 26, 2022.
LastPass ultimately detected the anomalous behavior through AWS GuardDuty Alerts when the threat actor attempted to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.
The company says they have since updated their security posture, including rotating sensitive credentials and authentication keys/tokens, revoking certificates, adding additional logging and alerting, and enforcing stricter security policies.
A large amount of data was accessed
As part of today’s disclosure, LastPass has released more detailed information on what customer information was stolen in the attack.
Depending on the particular customer, this data is wide and varied, ranging from Multifactor Authentication (MFA) seeds, MFA API integration secrets, and to Split knowledge component (“K2”) Key for Federated business customers.
A complete list of stolen data is below, with a more detailed and easier-to-read chart on a support page.
Summary of data accessed in Incident 1:
On-demand, cloud-based development and source code repositories – this included 14 of 200 software repositories.
Internal scripts from the repositories – these contained LastPass secrets and certificates.
- Internal documentation – technical information that described how the development environment operated.
Summary of data accessed in Incident 2:
DevOps Secrets – restricted secrets that were used to gain access to our cloud-based backup storage.
Cloud-based backup storage – contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data. All sensitive customer vault data, other than URLs, file paths to installed LastPass Windows or macOS software, and certain use casesinvolving email addresses, were encrypted using our Zero knowledge model and can only be decrypted with a unique encryption key derived from each user’s master password. As a reminder, end user master passwords are never known to LastPass and are not stored or maintained by LastPass – therefore, they were not included in the exfiltrated data.
Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.
All of today’s support bulletins are not easy to find, with none of them listed in search engines, as the company added
HTML tags to the document to prevent them from being indexed by search engines.
LastPass also released a PDF titled “What actions should you take to protect yourself or your business,” which contains further steps customers can perform to protect their environments.