Attackers Hacked Into LastPass Via Employee's Home ComputerAttackers Exploited Vulnerability in Third-Party Software for Access
The situation at password manager company LastPass keeps getting worse: In an undated update, the company now says hackers implanted keylogger software on a DevOps employee's home computer to obtain access to the corporate vault.
Through the keylogger, implanted via a third-party media software package with a remote code execution vulnerability, the hacker was able to capture the employee's master password and circumvent the multifactor authentication requirement for accessing the corporate vault.
The hacker stole "encrypted secure notes with access and decryption keys" needed to access production backups stored in the company's Amazon Web Services cloud storage account. The targeted employee was one of four company employees who had access to decryption keys needed to access the AWS account, the company says.
LastPass says the stolen data includes customer metadata, API secrets, third-party integration secrets and configuration data. Backups of customer vault data also were exfiltrated, but the company says they can only be decrypted with the end user master password, which is not stored or known by LastPass. Hackers also obtained customer telephone numbers used for multifactor authentication backup.
The company warns that the hackers behind what it called a coordinated attack may attempt to brute-force decryption of customer data vaults and use customer data to target users with phishing attacks or attempted credential stuffing attacks against their accounts. Included in the data hackers obtained were unencrypted URLs of websites that match a saved entry in customers' vaults.
LastPass did not reveal the software package vulnerability hackers exploited to place a keylogger on an employee's computer. Ars Technica reported the software exploited by the attackers was the Plex media platform.
LastPass has slowly acknowledged a widening set of impacts stemming from an August breach the company first assessed as affecting nothing beyond its source code and proprietary technical information. That changed in December, when the company first said hackers had been able to copy encrypted customer vault data.
The threat actor "pivoted from the first incident," engaging in a "new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment spanning from August 12, 2022 to October 26, 2022," the company says.
"The word pivot in this context is just a jargon way of saying, 'Where the crooks went next,'" wrote cybersecurity company Sophos in a report on the attack.
Spotting the hacker operating inside its AWS account was difficult, LastPass says, since the attacker had valid credentials stolen from a senior DevOps engineer. That "initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity." Eventually, the AWS threat detection service spotted anomalous behavior.
LastPass is one of the world's most popular password management services. The company says it is used by more than 33 million individuals and 100,000 businesses.