Last August, LastPass reported a security incident” in which an unauthorized actor accessed the password management company’s source code and proprietary technical information using a compromised DevOps engineer’s account. While the initial investigation concluded that the attack was contained, the company later discovered a secondary attack that took place between August 12 and October 26, involving reconnaissance, illumination and the exfiltration of sensitive data.
How the Attack was Implemented
The attackers targeted a home computer used by a DevOps engineer who worked remotely for LastPass. The attackers exploited an unpatched third-party software package, the Plex Media Server, which allowed the intruders to plant a keylogger on the computer. This enabled the attacker to capture the employee’s master password as it was entered in real-time. Using the stolen credentials, the attackers were able to access a corporate vault that contained encryption keys for customer vault backups stored in Amazon S3 bucket, including an S3 production backup, in addition to other cloud-based storage resources, and other related critical database backups. Some of the content contained within the backups included encrypted and clear text data, such as website usernames and passwords, secure notes and form-filled data. New details are emerging as to how the threat actor obtained the S3 encryption keys. While alerting and logging was enabled, the anomalous behavior of the compromised account was not detected. LastPass officials wrote, “Specifically, the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, which initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity.”
Despite the data breach, LastPass insists that it would be highly difficult for the attackers to compromise the master passwords of customers. Customers could be exposed however, to increased occurrences of targeted phishing attacks, credential stuffing or other brute force attack methodologies for any online account associated with their LastPass vault. Customers were reminded that LastPass will never contact them for any information related to their accounts.
The secondary attack on LastPass is a perfect example of how the compromise of a single privileged account can be leveraged by a threat actor. In this case, the DevOps engineer was one of only four LastPass employees with access to the corporate storage vault. Privileged accounts such as these must be held to a higher security standard. Some of the possible security measures that could have been utilized in this scenario include the following:
- Privileged employees should only utilize corporate devices that are properly secured by corporate security controls.
- Companies should use multifactor authentication (MFA) strategies that involve an authenticator app or a FIDO (Fast Identity Online) key. FIDO keys require an employee to insert the key and physically touch it, alleviating the need for the user to type in a code that can be captured.
- All corporate data today should be encrypted to prevent attackers from accessing it without the required decryption key even when exfiltrated.
- Computers used by highly privileged users can be protected by allow-list security. Allow-list security policies only allow authorized applications to be installed on a corporate device. Such a policy would have prevented the exploitable third-party application from being installed by the employee in this case.
- While alert monitoring should be a mandatory component of any cybersecurity policy, notification systems are usually dashboard oriented. Security dashboards require a human to be seated at the dashboard an interpret the incoming series of metrics and alert notifications. Large enterprises today should utilize some sort of AI security solution (AIOps). These solutions aren’t dependent on the reactionary measures of human personnel because AI takes an active involvement to identify and eliminate suspicious traffic that could be harmful to the network. While this technology can be rather pricey for SMBs, access to AIOps technology can still be gained by contracting with a security operations center (SOC).
By implementing the principle of least privilege (PoLP), organizations can reduce the risk of data breaches and other security incidents by limiting the exposure of sensitive information and resources.
The LastPass data breach provides valuable lessons for companies to improve their security posture. Review your organizations security posture with a risk assessment. Schedule a review to ensure that your controls are effective in protecting your organization against cyber threats.