LastPass has published some new details about a second attack on their infrastructure. Despite LastPass’ high confidence in their investigation and response to the first incident, a threat actor managed to launch a second attack on LastPass’ network.
The attacker used information obtained from the first incident, a third-party data breach, and a vulnerability in a third-party media software package. This attack involved overlapping activities and targeted both LastPass’ infrastructure and an employee.
The observed tactics, techniques, and procedures (TTPs), as well as the indicators of compromise (IOCs), of the second incident, were different from those of the first. Although the two incidents occurred close in time, it was not initially clear that they were directly related.
The investigation has shown that the threat actor used the information obtained during the first incident to pivot and conduct further reconnaissance, enumeration, and exfiltration activities in the cloud storage environment from August 12, 2022, to October 26, 2022.
LastPass is keen to underline that during the first attack, credentials were stolen, but these credentials were encrypted. The threat actor did not have access to the decryption keys, which were only retrievable from two specific locations. The first location was a segregated and secure implementation of an orchestration platform and key-value store used to coordinate backups of LastPass development and production environments with various cloud-based storage resources. The second location was a highly restricted set of shared folders in a LastPass password manager vault that were used by DevOps engineers to perform administrative duties in these environments.
This means that to get the keys needed to access the cloud storage service, the second attacker targeted one of the four DevOps engineers who had access to them.
“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” wrote LastPass in a support note. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”
If you are concerned that your LastPass account has been compromised, follow these steps.