In early September of 2022, we reported on a security incident that occurred at LastPass in late August. As a reminder, LastPass is a password manager, which is software intended to facilitate encrypted password storage with easy retrieval. Other popular password managers include BitWarden, Dashlane, and 1Password. LastPass is very possible among the more well-known password managers and has had several security incidents even before the incident we reported on in September. Unfortunately, the results of an exhaustive investigation by LastPass indicate that this security incident has grown into something much more complex than one might have expected.
To recap, LastPass confirmed on August 25th, 2022, that they had detected unusual activity in their development environment. This led to the discovery of a compromised developer account. They had also confirmed that proprietary technical information and source code had been stolen. At the time, there was no indication that any user data had been compromised. Fast-forwarding to December 22nd, 2022, LastPass reports another security incident, this time noting that customer vault data had been stolen. We will be covering the extent of customer data available shortly.
LastPass reaffirmed that no customer data was accessed during the August incident, but some of the technical data and source code was used to target an employee, which resulted in the threat actor obtaining credentials and keys that could be used to access cloud-based storage. Specifically, the combination of the information stolen in August, information obtained in another breach, and a remote code execution vulnerability in a third-party media product were used to install a keylogger onto a DevOps engineer’s computer. With these actions the threat actor was able to obtain the employees master password while it was entered, bypassing MFA, and gain access to the engineer’s corporate vault. One important aspect to note here is that the threat actor apparently had access from August until October since the credentials being used were valid. The threat actor’s behavior was detected with AWS GuardDuty alerts.
We can summarize the data stolen during that time in the following manner: LastPass reports that during the first incident the types of data stolen was cloud-based development and source code repositories, internal scripts containing LassPass secrets and certificates, and internal documentation describing how the development environment operates. During the second incident, the types of data stolen was DevOps secrets used to gain access to cloud backup storage, a backup of an MFA/Federation database, which contained copies of LastPass authenticator seeds and telephone numbers used for their MFA backup option, along with other backed-up data including configuration data, API secrets, third-party integration secrets, customer metadata, and customer vault data, which contains unencrypted information like website URLs as well as encrypted information like usernames and passwords. Focusing on customer data specifically, the threat actor was able to access a wide variety of information, such as unencrypted account information like LastPass usernames, billing addresses, email addresses, phone numbers, and IP addresses.
In terms of remediation, a number of steps have been taken by LastPass to bolster their security and operations. After the first incident, LastPass removed the breached development environment and built a new one in addition to rotating necessary cleartext secrets and certificates. They also began deploying additional security controls to bolster their current solutions. After the second incident, LastPass analyzed their cloud-based storage resources and applied additional policies. As expected, they also rotated and/or changed existing access controls and rotated affected secrets and certificates.
There are several actions LastPass is recommending to all of their customers. For free, premium, or family customers it is recommended to ensure the strength of the master password, and increase the number of password iterations to 600,000 iterations or more if it is not already. It is also critical for customers to evaluate their overall password hygiene and ensure passwords are not being reused, especially their master password for LastPass. LastPass also recommends that customers enable dark web monitoring and multifactor authentication on their accounts. Customers already using MFA should regenerate their shared secrets. Recommendations for business customers are largely similar, with the addition of ensuring high quality password policies, reviewing super admin best practices, resetting API and SAML keys, among other similar procedures. Interestingly, a statement to BleepingComputer indicates that recommendation bulletins were initially not indexed for public consumption as they wanted time for business administrators to prepare before a public announcement.
In summary, LastPass is a very popular password management solution with a troubled history, with security incidents dating back to 2011. Two recent, very pronounced incidents, occurring on in August and December appear to be linked by both threat actors and attack vectors. Information stolen during the August incident was used by a threat actor to perpetrate another incident in December, leading to the compromise of customer data. The results of investigations into these incidents are just being released. Given the wide array of data that has been stolen, from proprietary LastPass information and source code, DevOps credentials to cloud storage backups, and customer data, LastPass is recommending that their users take steps to ensure that their data remain as secure as possible. Users should look into securing and/or changing their passwords and resetting MFA secrets, and businesses should look into securing their password policies, reviewing super user best practices, and resetting API and SAML keys.
[1]: https://redskyalliance.org/xindustry/lastpass-breached-again
[4]: https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
[5]: https://support.lastpass.com/help/incident-2-additional-details-of-the-attack
[6]: https://blog.lastpass.com/2023/03/security-incident-update-recommended-actions/
[8]: https://support.lastpass.com/help/security-bulletin-recommended-actions-for-business-administrators
About Red Sky Alliance
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments