(Image source: LastPass, n.d.-c)
One-sentence summary:
LastPass discloses 2022 breach updates, clarifying two separate hacks and a third-party software exploit on a DevOps engineer’s computer.
Who was involved?
LastPass, LastPass software engineer, a senior DevOps Engineer, and the adversary.
What was the timeline?
August 8, 2022: Threat actor made initial access into LastPass (Toubba, 2023, para. 3).
August 12, 2022: Threat actor is detected on the network by LastPass, and Incident 1 ceases (LastPass, n.d.-a, para. 1). Incident 2 begins (LastPass, n.d.-b, para. 3).
August 13, 2022: Mandiant is engaged (LastPass, n.d.-a, para. 3).
October 26, 2022: Threat actor is contained by LastPass.
December 22, 2022: Initial press release by LastPass over the breach.
February 24, 2022: Latest update is posted on LastPass’s website (Toubba, 2023).
What occurred?
In August 2022, an unknown threat actor successfully breached a software engineer’s work computer (potentially through their home network), allowing initial access in Incident 1 (LastPass, n.d.-a, paras. 1-4, 11). The threat actor bypassed EDR and impersonated the software engineer’s valid access to exfiltrate 14 out of 200 source code repos at LastPass and obtain development “cleartext embedded credentials” and “stored digital certificates” (LastPass, n.d.-a, paras. 5-7). While Mandiant and LastPass may have thought the actor was gone after initial containment, they were just getting started. They apparently returned the same day with a vengeance and utilized an RCE vulnerability in third-party software to hack a senior DevOps engineer (LastPass, n.d.-b, paras. 1-5, 11; Toubba, 2023, p. 2). Update 4/4/2023: the third-party software was reported to be Plex and was exploited via CVE-2020-5741 (Lakshmanan, 2023). (They spent over two months in a backup environment and collected partial crown jewels (without customer master passwords): “contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data” (Toubba, 2023, p. 3). This was one of the three major categories of the second breach: “cloud-based backup storage” (Toubba, 2023, p. 3). The other breached categories included “DevOps secrets” and “Backup of LastPass MFA/Federation Database,” including “LastPass Authenticator seeds” and certain decryption keys (p. 3). October 26, 2022, was the adversary’s last known date of activity within LastPass (Toubba, 2023, p. 1). The implications of the breaches are too multivariable for a summary (please see for implications and remedial advice: https://support.lastpass.com/help/what-data-was-accessed; https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/).
Estimated costs:
Incident response costs, including Mandiant (Toubba, 2023, p. 2).
Involved laws:
TBA or N/A (see disclaimer)
Root cause:
Potentially engineer’s “home network” and definite third-party software RCE vulnerability (LastPass, n.d.-a, para. 11; LastPass, n.d.-b, para. 1).
Lessons learned:
Assess and harden home networks. Substantially limit third-party software on corporate devices to reduce the attack surface via application whitelisting. Limit Oauth and consent to third party applications with corporate identities and resources. There are many other lessons learned enumerated within the cited sources and are worth investigating. However, I am focusing on lessons learned that address the root causes.
Commentary:
BleepingComputer reported that “noindex” tags were on the LastPass documents, however, I found the “Security Incident Update and Recommended Actions” and additional detail posts available on Google or without noindex tags (Abrams, 2023). Only the “What data was accessed?” page appeared to have the noindex tag (LastPass, n.d.-d). Metadata was extracted to get the date on the “Security Incident Update and Recommended Actions” PDF (Toubba, 2023). LastPass’s remedial efforts on both support pages are comprehensive and role models to other organizations suffering data breaches. Kudos to LastPass and Mandiant! However, LastPass has had two prior breaches: one in 2015 and one in 2011: https://www.wired.com/2015/06/hack-brief-password-manager-lastpass-got-breached-hard/. Those will be covered in future posts and any alignment with the latest breach will be elucidated.
Sources:
Abrams, L. (2023, February 28). LastPass: DevOps engineer hacked to steal password vault data in 2022 breach. BleepingComputer. https://www.bleepingcomputer.com/news/security/lastpass-devops-engineer-hacked-to-steal-password-vault-data-in-2022-breach/
Lakshmanan, R. (2023, March 7). LastPass Hack: Engineer’s Failure to Update Plex Software Led to Massive Data Breach. The Hacker News. Retrieved April 4, 2023, from https://thehackernews.com/2023/03/lastpass-hack-engineers-failure-to.html
LastPass. (n.d.-a). Incident 1 – Additional details of the attack – LastPass Support. LastPass Support. Retrieved February 28, 2023, from https://support.lastpass.com/help/incident-1-additional-details-of-the-attack
LastPass. (n.d.-b). Incident 2 – Additional details of the attack – LastPass Support. LastPass Support. Retrieved February 28, 2023, from https://support.lastpass.com/help/incident-2-additional-details-of-the-attack
LastPass. (n.d.-c). LastPassLogoShadow.png. https://lastpass.com/media/pressroom/LastPassLogoShadow.png
LastPass. (n.d.-d). What data was accessed? – LastPass Support. LastPass Support. Retrieved February 28, 2023, from https://support.lastpass.com/help/what-data-was-accessed
Toubba, K. (2023, February 24). Security Incident Update and Recommended Actions. lastpass.com. Retrieved February 28, 2023, from https://support.lastpass.com/download/lastpass-blog-security