LastPass says attacker hacked employee’s home computer to access corporate vault

Password management company LastPass said Tuesday that the attackers who accessed the company’s digital corporate vault last year did so after hacking an employee's home computer and stealing credentials.

Although no attribution has yet been made about who was behind the incidents, the update reveals that the attacker was persistent and resourceful. LastPass said it has brought in cybersecurity company Mandiant to provide incident response and forensics assistance.

In the new blog post, LastPass said the campaign lasted between August 12 and October 26, and the intruders accessed data including plaintext account information and customers’ passwords stored in an encrypted format.

The company had said in early December that during the initial intrusion in August, “some source code and technical information were stolen from our development environment” — details that were subsequently used to access an online corporate vault. Later in December, LastPass said an attacker had accessed and copied customer data. 

LastPass said that it was not initially apparent that the two incidents were directly related.

Similar to the company’s last update, the new post does not contain a timestamp, and the page includes HTML that prevents it being indexed by search engines.

So what actually happened?

LastPass says only four engineers have access to the decryption keys needed to access its Amazon Web Services (AWS) cloud storage service, where the company keeps the backups of all of its customer information, including vault data. Customers can store website passwords as well as credit card numbers and other sensitive information in their vaults.

The cloud backups include unencrypted account information as well as “fully-encrypted sensitive fields,” which the company said are “secured with 256-bit AES encryption.”

To actually access the cloud storage area — known as an S3 bucket — the “threat actor needed to obtain AWS Access Keys and the LastPass-generated decryption keys,” the company said.

To do this, the attacker targeted one of the four engineers’ home computers. By exploiting a “vulnerable third-party media software package, which enabled remote code execution capability,” they were able to implant a keylogger on the engineer’s device, allowing for constant reconnaissance.

Ars Technica reports that the third-party media software package was Plex, citing a person briefed by LastPass, and notes that the streaming company also disclosed that it had been hacked during this period.

Using the keylogger, the attacker then captured the employee’s credentials as they were entered and accessed the engineer’s corporate vault.

The intruder then exported the contents of the vault and shared folders “which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”

The attacker eventually was caught when AWS GuardDuty Alerts notified the company of “anomalous behavior as the threat actor attempted to use Cloud Identity and Access Management roles to perform unauthorized activity.”

What is LastPass doing?

LastPass said that, alongside assistance from Mandiant, it has "forensically imaged devices to investigate corporate and personal resources and gather evidence detailing potential threat actor activity."

It said it has also hardened the security of the engineer's home network and personal resources. The employee works in DevOps, a practice that integrates software development and IT operations.

The company has also rotated “critical and high privilege credentials that were known to be available to the threat actor” and said it is continuing “to rotate the remaining lower priority items that pose no risk to LastPass or our customers,” as well having begun “revoking and re-issuing certificates obtained by the threat actor.”

What should users do?

In the company’s second December update, it said any customers who use LastPass’ default settings, including using a unique master password consisting of a minimum of twelve characters, do not need to take any actions.

However it warned that those with weaker passwords, including business customers who do not use LastPass’ federated login services, “should consider minimizing risk by changing passwords of websites you have stored.”

“This remains an ongoing investigation. We have notified law enforcement and relevant regulatory authorities of this incident out of an abundance of caution,” the company said at the time.

“We are committed to keeping you informed of our findings, and to updating you on the actions we are taking and any actions that you may need to perform. In the meantime, our services are running normally, and we continue to operate in a state of heightened alert. ”

The United Kingdom’s National Cyber Security Centre (NCSC) has long-standing guidance which warns: “Password managers are a natural target for someone trying to gain unauthorized access to your accounts, because a successful attack provides access to all of a user’s stored passwords.”

Despite this risk, NCSC still recommends using password managers as long as the service complies with technical standards which include preventing the service itself (and thus any attacker) from being able to access the decryption key.

LastPass said: “The master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Alexander Martin

Alexander Martin

is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.