Internal documentation involving technical information was also accessed, describing DevOps secrets and cloud-based backups, among other data types. While information varies depending on the customer, examples include multifactor authentication seeds and application programming interface (API) integration secrets, as well as split knowledge component keys belonging to the company’s federated business customers.Ĭloud-based development, on-demand, and source code repositories were also accessed, along with internal scripts from these repositories containing LastPass certificates and secrets. The attackers accessed an extensive array of customer data during the data breach. Ultimately, LastPass spotted the anomalous behaviour thanks to GuardDuty Alerts during the threat actor’s attempts to use cloud-based Identity and Access Management roles to conduct unauthorised activity. As a result, the hackers were allowed to access and went on to steal sensitive data from the company’s cloud storage servers during a two-month period from August 12 to October 26 2022. The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.” Legitimate credentials obscured the threatĪs the attackers employed legitimate credentials in their malicious activities, it obscured the threat and made it more difficult for investigators at LastPass to detect them. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault. The security notification from the company commented: The hackers were ultimately successful in their attempts and managed to install a keylogger on the LastPass employee’s computer by exploiting a vulnerability present in third-party media software on the engineer’s machine, resulting in the data breach. Not surprisingly, this led the threat actors behind the campaign to target one of the four engineers. The buckets were encrypted, with only four of LastPass’s DevOps engineers possessing access to the decryptors. In its recent statement, LastPass commented that the second coordinated attack employed the stolen data obtained in the initial breach to achieve access to the enterprise’s Amazon S3 buckets. LastPass explained that hackers had used information stolen during a data breach in August 2022 combined with information from another leak and a remote code execution (RCE) vulnerability to plant a keylogger on a computer belonging to one of the firm’s senior DevOps engineers. A multi-layered attack campaign in action
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |