LastPass Hack: Engineer’s Failure to Update Plex Software Led to Massive Data Breach

1 year ago AndyC

Mar
07,
2023Ravie
LakshmananPassword
Security
/
Software
Update

The
massive
breach
at
LastPass
was
the
result
of
one
of
its
engineers
failing
to
update
Plex
on
their
home
computer,
in
what’s
a
sobering
reminder
of
the
dangers
of
failin

Mar
07,
2023Ravie
LakshmananPassword
Security
/
Software
Update

LastPass Hack: Engineer's Failure to Update Plex Software Led to Massive Data Breach

The
massive
breach
at
LastPass
was
the
result
of
one
of
its
engineers
failing
to
update
Plex
on
their
home
computer,
in
what’s
a
sobering
reminder
of
the
dangers
of
failing
to
keep
software
up-to-date.

The
embattled
password
management
service
last
week

revealed
how
unidentified
actors
leveraged
information
stolen
from
an
earlier
incident
that
took
place
prior
to
August
12,
2022,
along
with
details
“available
from
a
third-party
data
breach
and
a
vulnerability
in
a
third-party
media
software
package
to
launch
a
coordinated
second
attack”
between
August
and
October
2022.

The
intrusion
ultimately
enabled
the
adversary
to
steal
partially
encrypted
password
vault
data
and
customer
information.

The
second
attack
specifically
singled
out
one
of
the
four
DevOps
engineers,
targeting
their
home
computer
with
a
keylogger
malware
to
obtain
the
credentials
and
breach
the
cloud
storage
environment.

This,
in
turn,
is
said
to
have
been
made
possible
by
exploiting
a
nearly
three-year-old
now-patched
flaw
in
Plex
to
achieve
code
execution
on
the
engineer’s
computer,
the
streaming
media
service
told
The
Hacker
News
in
a
statement.

The
vulnerability
in
question
is

CVE-2020-5741
(CVSS
score:
7.2),
a
deserialization
flaw
impacting
Plex
Media
Server
on
Windows
that
allows
a
remote,
authenticated
attacker
to
execute
arbitrary
Python
code
in
the
context
of
the
current
operating
system
user.

“This
issue
allowed
an
attacker
with
access
to
the
server
administrator’s
Plex
account
to
upload
a
malicious
file
via
the
Camera
Upload
feature
and
have
the
media
server
execute
it,”
Plex

said
in
an
advisory
released
at
the
time.

Discover
the
Latest
Malware
Evasion
Tactics
and
Prevention
Strategies

Ready
to
bust
the
9
most
dangerous
myths
about
file-based
attacks?
Join
our
upcoming
webinar
and
become
a
hero
in
the
fight
against
patient
zero
infections
and
zero-day
security
events!

RESERVE
YOUR
SEAT

The
issue,
which
was

discovered
and
reported
to
Plex
by
Tenable
in
March
2020,
was
addressed
by
Plex
in

version
1.19.3.2764
released
on
May
7,
2020.
The
current
version
of
Plex
is
1.31.1.6733.

“Unfortunately,
the
LastPass
employee
never
upgraded
their
software
to
activate
the
patch,”
Plex
said
in
a
statement.
“For
reference,
the
version
that
addressed
this
exploit
was
roughly
75
versions
ago.”

Found
this
article
interesting?
Follow
us
on

Twitter


and

LinkedIn
to
read
more
exclusive
content
we
post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts