[German]LastPass was the victim of two hacks in 2022, in which attackers gained access to its infrastructure. At first, it was said that the development environment had "only been hacked". Then the extent of the attack and a second attack on the cloud service for managing passwords gradually became public. Now LastPass has revealed more information about how the 2nd hack could have happened. The attack probably succeeded via a compromised private PC of a developer who was one of four people who had access to the company's private keys.
The LastPass hack
LastPass is a service for storing one's passwords and credentials for online accounts – with that data stored in a data vault called Vault in the cloud. The provider was forced to report a security incident in August 2022 in which its development environment was hacked (see LastPass security incident: Development environment hacked (August 25, 2022)). The attackers had four days to look around the internal IT network, according to LastPass (see links at end of article).
In Nov. 2022, it was revealed that LastPass customer data could be stolen after a cloud storage service was hacked. on Dec. 20, 2022, the provider admitted to the next security incident. The attacker had managed to rip off the encrypted Vault database containing user data (see LastPass says hackers has stolen encrypted Vault database backup with user data). So it's only slowly coming out that the hack was possible via a chain of unsightly circumstances.
New findings about the hack
In a new statement, LastPass now discloses how the hack could succeed. The suspicion that the first hack in Augst 2022 captured information that could be used for the second attack is confirmed. The investigation revealed that after the first incident, which ended on Aug. 12, 2022, the threat actor moved on to a new set of reconnaissance, enumeration and exfiltration activities targeting the LastPass cloud storage environment, spanning from Aug. 12, 2022, to Oct. 26, 2022.
In the first hack, encrypted credentials of a LastPass employee were captured. LastPass did reset the accounts and also activated the logging and monitoring features for accesses. But the attackers now used a different tactic and compromised the private PC of a LastPass DevOps developer to install a KeyLogger there.
In total, there were only four DevOps developers at LastPass who had access to a highly restricted set of shared folders in a LastPass password manager vault. The folder was used by DevOps engineers to perform administrative tasks in these environments.
In order to compromise the DevOps developer's private PC, his system was exploited by a third-party media software package. Remote code execution was possible via this package, allowing a keylogger to be installed. This enabled the attacker to capture the employee's master password as it was entered, and after the employee had authenticated with MFA (two-factor authentication). This gave the attacker access to the DevOps engineer's LastPass enterprise vault.
Addendum: According to arstechnica, qouting an anymous source, the media software package was Plex. Plex have had it's own network breach, but it's not clear, whether there is a connection between the two cases.
The threat actor then exported the native entries of the enterprise vault and the contents of the shared folders. These contained the encrypted secure notes with access and decryption keys required to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups. This arguably gave the attackers the jackpot and thus access to the AWS S3 cloud structures.
Due to this fact, it was difficult for forensics performed by Mandiant specialists to trace the details of the hack. In the recent post, LastPass describes all the measures they had executed to ensure the security of the system. The problem, however, was that the baby had already been dropped in the well with the first hack and was then thrown into the water again with the hack of the DevOps developer's private PC. Brian Krebs writes in the following post:
LastPass has released more details about the two intrusions last year that were traced back to the same attacker.
There's a lot to unpack here, but this detail about the attack on a LastPass DevOps employee on his home computer is a bit sobering.
Then he derived the key messages from the text above. If the DevOps developer had only used an isolated PC to access the LastPass cloud structure and had not installed any other software, the second hack would probably not have been possible.
The question for LastPass users now is whether the captured data from the password safe is still safe. These are in encrypted form in the captured database. With the encryption used (Password-Based Derivation Function 2, PBKDF2), this is very difficult to crack at first glance. But security researchers pointed out that the number of password iterations set for PBKDF2 may be crucial.
LastPass provides instructions on how to check this setting and uses a value of 100,100 as the default. But users report configuring a value of 5,000 there, and some set the value to 500. There are even people who have set a value of 1 for a retry there. The accounts with very low values for the PBKDF2 password iterations are now at risk of the password safe being cracked. Then the attackers would be in possession of all the credentials of that user.
The bottom line is that it is quite a mess that has hit the provider and its users. The provider has tolerated avoidable security risks in its processes – the users may have additionally ensured a weakening of the password encryption.
LastPass security incident: Development environment hacked (August 25, 2022)
LastPass confirmed: Attackers had access to internal systems for four days
LastPass customer data accessed after cloud storage service hack (Nov. 2022)
LastPass says hackers has stolen encrypted Vault database backup with user data
Cookies helps to fund this blog: Cookie settings