LastPass ultimately detected the anomalous behavior through AWS GuardDuty Alerts when the threat actor attempted to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.
The use of valid credentials made it difficult for the company's investigators to detect the threat actor's activity, allowing the hacker to access and steal data from LastPass' cloud storage servers for over two months, between August 12, 2022, to October 26, 2022. "The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups." "The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer's LastPass corporate vault," reads a new security advisory published today. Ultimately, the hackers successfully installed a keylogger on the employee's device by exploiting a remote code execution vulnerability in a third-party media software package.
LastPass says this second coordinated attack used the stolen data from the first breach to gain access to the company's encrypted Amazon S3 buckets.Īs only four LastPass DevOps engineers had access to these decryption keys, the threat actor targeted one of the engineers. The company has now disclosed how the threat actors performed this attack, stating that they used information stolen in an August breach, information from another data breach, and a remote code execution vulnerability to install a keylogger on a senior DevOps engineer's computer.
LastPass disclosed a breach in December where threat actors stole partially encrypted password vault data and customer information. LastPass revealed more information on a "coordinated second attack," where a threat actor accessed and stole data from the Amazon AWS cloud storage servers for over two months.
0 kommentar(er)
