The attacker who gained access to the LastPass cloud storage service last year and made off with some customer data gained initial access to the company’s systems after compromising an engineer’s home machine and stealing the employee’s company credentials, access the LastPass vault, and eventually gain access to the keys for Amazon S3 buckets that stored customer data and encrypted vault data.
The path that the attacker took to that destination is not a typical one, and it highlights an issue that has faced corporate security teams for many years: employees accessing sensitive corporate resources from personal machines. The shift to remote work for more people since 2020 has exacerbated the problem, but it’s one that IT and security organizations have been wrestling with for the better part of two decades and employees’ home machines and networks aren’t always included in corporate threat models.
In the case of the LastPass incident, there are a lot of moving parts and the operation that eventually led to the compromise of the S3 credentials and access to customer data and backups comprised two distinct intrusions. In the first incident, the attacker compromised a developer’s account and was able to steal some LastPass source code and other data. The company’s security team ejected the attacker from the network on Aug. 12, but the attacker immediately began a separate operation focused on performing reconnaissance and exfiltration of more data.
In the second operation, the attacker was able to use some of the information stolen previously to identify the LastPass Amazon cloud storage environment and begin stealing data. In order to accomplish that, the attacker needed to get the decryption keys for the encrypted credentials stolen previously.
“Due to the security controls protecting and securing the on-premises data center installations of LastPass production, the threat actor targeted one of the four DevOps engineers who had access to the decryption keys needed to access the cloud storage service,” LastPass said in an update on Monday.
“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”
“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package."
This attack path is not simple or direct, but the idea of an attacker targeting a privileged employee’s personal accounts or devices as a way into a corporate network is far from novel. It’s a time-worn technique and often a successful one, though the ways in which attackers use it have evolved over time. Social media has made life much easier for attackers looking to gather information about a target company’s employees, their interests, locations, and personal lives, which then can be used in social engineering attacks or other operations. And if an attacker is able to compromise a personal device that a privileged employee uses for work purposes, it can be especially difficult to deal with, as the personal device may not have corporate monitoring or detection capabilities enabled.
On the corporate side, detection also can be difficult if the attacker has valid credentials and is performing tasks that aren’t completely abnormal for the compromised account.
“Alerting and logging was enabled during these events, but did not immediately indicate the anomalous behavior that became clearer in retrospect during the investigation. Specifically, the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, which initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity,” LastPass said.
“Ultimately AWS GuardDuty Alerts informed us of anomalous behavior as the threat actor attempted to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.”
As part of the intrusion, the attacker also was able to steal one of the two parts of the 256-bit hidden master passwords used by organizations that integrate LastPass with an identity provider. In those implementations, one component of that secret, known as K1, is stored in the organization’s identity provider, while the other part, known as K2, is stored by LastPass in its production database.
“The K2 component was exfiltrated by the threat actor as it was stored in the encrypted backups of the LastPass MFA/Federation Database for which the threat actor had decryption keys,” LastPass said in a support article.
Enterprises that use LastPass in this way may need to change the K1 and K2 components of the organization-wide master password.