Threat
actors
hacked
the
home
computer
of
a
DevOp
engineer,
they
installed
a
keylogger
as
part
of
a
sophisticated
cyber
attack.
Password
management
software
firm
LastPass
disclosed
a
“second
attack,”
a
threat
actor
used
data
stolen
from
the
August
security
breach
and
combined
it
with
information
available
from
a
third-party
data
breach.
Then
the
attackers
exploited
a
flaw
in
a
third-party
media
software
package
to
target
the
firm.
“Our
investigation
has
revealed
that
the
threat
actor
pivoted
from
the
first
incident,
which
ended
on
August
12,
2022,
but
was
actively
engaged
in
a
new
series
of
reconnaissance,
enumeration,
and
exfiltration
activities
aligned
to
the
cloud
storage
environment
spanning
from
August
12,
2022
to
October
26,
2022.”
reads
the
update
published
by
the
company.
“The
second
incident
saw
the
threat
actor
quickly
make
use
of
information
exfiltrated
during
the
first
incident,
prior
to
the
reset
completed
by
our
teams,
to
enumerate
and
ultimately
exfiltrate
data
from
the
cloud
storage
resources.”
LastPass
revealed
that
the
home
computer
of
one
of
its
DevOp
engineers
was
hacked
as
part
of
a
sophisticated
cyberattack.
The
attackers
targeted
one
of
the
four
DevOps
engineers
who
had
access
to
the
decryption
keys
needed
to
access
the
cloud
storage
service.
The
hackers
installed
a
keylogger
on
the
DevOp
engineer’s
computed
and
captured
his
master
password.
“This
was
accomplished
by
targeting
the
DevOps
engineer’s
home
computer
and
exploiting
a
vulnerable
third-party
media
software
package,
which
enabled
remote
code
execution
capability
and
allowed
the
threat
actor
to
implant
keylogger
malware.”
continues
the
update.
“The
threat
actor
was
able
to
capture
the
employee’s
master
password
as
it
was
entered,
after
the
employee
authenticated
with
MFA,
and
gain
access
to
the
DevOps
engineer’s
LastPass
corporate
vault.”
The
investigation
conducted
by
the
company
with
the
help
of
the
cybersecurity
firm
Mandiant
confirmed
the
attack
on
the
DevOps
engineer’s
home
computer.
“The
threat
actor
then
exported
the
native
corporate
vault
entries
and
content
of
shared
folders,
which
contained
encrypted
secure
notes
with
access
and
decryption
keys
needed
to
access
the
AWS
S3
LastPass
production
backups,
other
cloud-based
storage
resources,
and
some
related
critical
database
backups.”
concludes
the
update.
In
August
2022,
the
company
disclosed
a
security
breach,
threat
actors
had
access
to
portions
of
the
company
development
environment
through
a
single
compromised
developer
account
and
stole
portions
of
source
code
and
some
proprietary
technical
information.
In
December
2022,
LastPass
revealed
that
the data
breach
suffered
in
August
2022
may
have
been
more
severe
than
previously
thought.
Thursday,
the
company
revealed
that
threat
actors
obtained
personal
information
belonging
to
its
customers,
including
encrypted
password
vaults.
The
company
discovered
that
an
unknown
threat
actor
accessed
a
cloud-based
storage
environment
leveraging
information
obtained
from
the
August
security
incident.
The
attackers
used
the
info
accessed
to
target
another
employee
and
obtain
credentials
and
keys
which
were
used
to
access
and
decrypt
some
storage
volumes
within
the
cloud-based
storage
service.
The
update
highlights
that
the
cloud
storage
service
accessed
by
the
threat
actor
is
physically
separate
from
the
production
environment.
Once
obtained
the
cloud
storage
access
key
and
dual
storage
container
decryption
keys,
the
attackers
copied
information
from
backup
that
contained
basic
customer
account
information
and
related
metadata.
Copied
data
include
company
names,
end-user
names,
billing
addresses,
email
addresses,
telephone
numbers,
and
the
IP
addresses
from
which
customers
were
accessing
the
LastPass
service.
The
threat
actor
also
copied
a
backup
of
customer
vault
data
from
the
encrypted
storage
container
which
is
stored
in
a
proprietary
binary
format.
The
backup
contains
both
unencrypted
data
(i.e.
Website
URLs)
and
256-bit
AES-encrypted
sensitive
(i.e.
Website
usernames
and
passwords,
secure
notes,
and
form-filled
data).
Follow
me
on
Twitter:
@securityaffairs
and
Facebook
and
Mastodon
(SecurityAffairs –
hacking,
LastPass)
Share
On
About Author
