Good grief, LastPass.. The popular password management firm with a motive of safeguarding people’s sensitive information, has become a breach static. One lingering question that comes up is,
How did cybercriminals break into LastPass despite countless security measures?
Let’s understand the root cause to determine the blindside and the learnings of the LastPass Breach!
The Origin Of LastPass Breach
The cybercriminal used Third-party VPN services to confuse the origin of the threat activity. Parallelly, the cybercriminal accessed a cloud-based development environment and masqueraded the software engineer’s laptop. Now, cybercriminals got into the cloud-based development environment via LastPass corporate VPN. In addition, they successfully established a dedicated connection by relying on the software engineer’s domain credentials and MFA.
Further, the cybercriminal leveraged access to the cloud-based development environment and got hold of technical documentation along with LastPass source code from the software engineer’s laptop. Out of 200 source code repositories of different components of the LastPass service, 14 source code were under the hostage of the cybercriminal.
Some of the source code included:
- Cleartext embedded credentials
- Digital certificates related to development environments
- Encrypted credentials
LastPass investigated the whole activity by engaging with Mandiant and got assistance with incident response activities. As cloud-based development and on-premises production data centers are physically and logically separated, no customer data was stolen during the initial breach. LastPass progressed with the incident response as part of containment, eradication, and recovery.
A Twist In LastPass Breach
LastPass says, “Despite high confidence in the outcomes of our investigation and actions taken in response to the first incident, the threat actor leveraged information stolen during the first incident, information available from a third-party data breach, and a vulnerability in a third-party media software package to launch a coordinated second attack.“
As mentioned in the first part, cybercriminals got hold of encrypted credentials that did not have decryption keys. The decryption keys can be retrieved from two locations:
- A key-value pair used to access backups of LastPass development & production environment, or
- A highly restricted set of folders in a LastPass password manager vault used by DevOps engineers.
Hence, the cybercriminal targeted one of the four DevOps engineers with access to a highly restricted set of folders with decryption keys to access cloud storage services. To an extent, the cybercriminal targeted the DevOps engineer’s personal computer by exploiting a vulnerable third-party media software package. With remote code execution capability, cybercriminals implanted a keylogger malware to capture the engineer’s master password. When the DevOps engineer authenticated with MFA, the cybercriminal gained access to the LastPass Corporate Vault.
The cybercriminal then exported the corporate vault entries and content of shared folders. The shared folder had encrypted secure notes and decryption keys to access the AWS S3 LastPass production backups, various cloud-based storage resources, and critical database backups.
Again, with the assistance of Madiant, LastPass progressed with the incident response for ongoing containment, eradication, and recovery activities.
What Actions Must You Take If You Are Using LastPass?
LastPass has released two security bulletins to assist with their incident-response efforts. One security bulletin for Free, Premium, and Family consumer users and another for Business and Teams users. These security bulletins help you secure your LastPass account and respond to security incidents.
- Recommended Actions for LastPass Free, Premium, and Families:
Security Bulletin: Recommended Actions for Free, Premium, and Families Customers – LastPass Support
- Recommended Actions for LastPass Business
Security Bulletin: Recommended Actions for LastPass Business Administrators – LastPass Support
Key Learnings From The LastPass Breach
Cyberattacks are showing no signs of subsiding. Putting a positive spin on it, we can learn from these attacks and take preventive steps to protect the IT environment. With the LastPass breach, we now know:
- Tune-up systems
Improve system performance with regular audits and disk clean-ups and eliminate unused or rarely used files. Optimize usage with regular maintenance and updates across systems.
- Implement MFAs
MFA is an add-on for protection against threats and decreases the risk of poor password behavior like password reuse. Implementing PingOne MFA, PingID MFA, Okta MFA, and TOTP Authenticator App-based MFA is highly recommended to provide robust security to your account.
- Normalize IT infrastructure with posture anomaly management.
Get a holistic view of the IT infrastructure and be aware of the security risks that were once hidden. Posture Anomaly Management allows you to discover the obvious attack vectors in the network and implement more effective security measures. Also, you will have control over the security posture anomalies that could have unleashed massive attacks.
- Automate patching daily
Automate the end-to-end patching tasks from scanning, prioritization, and testing to scheduled deployment. Auto patching reduces manual work and human errors. Create automation rules according to your organization’s requirements and execute faster patching across your network.
- Apply system hardening
Imply strict configuration system hardening measures on operating systems, servers, and enterprise applications to minimize the organization’s threat exposure.
Although LastPass implemented various security measures, they should have included basic prevention methods. Besides, cybercriminals use many techniques to infiltrate an organization’s network and perform malicious actions. But most of the time, they use similar methods to carry out their attacks. To stay safe and secure, look deep into your IT infrastructure, get insights, and normalize to nip it in the bud to keep cyberattacks at bay.