LastPass was undone by an attack on a remote employee
Last August, LastPass suffered a well publicised breach: Developer systems were compromised and source code stolen. This resulted in a second breach in November, which was revealed by LastPass in December. The company has now revealed that the individual(s) responsible for the attack also compromised a remote employee’s computer, in order to capture credentials used in the second attack.
The credentials allowed the attacker to steal data from Amazon AWS cloud storage servers used by LastPass for a little over two months.
The remote developer’s PC was reportedly compromised via a remote code execution vulnerability in a third-party media player, which was exploited to deploy a keylogger. After this, the attacker was able to wait until the employee entered their master password and authenticated themselves with multi-factor authentication.
The attacker was able to access the DevOps engineer’s LastPass corporate vault. From the LastPass support page:
The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.
The compromised developer was one of only four people with access to the decryption keys needed to access cloud storage services. This is very much the definition of a targeted attack.
According to LastPass, once the attacker was inside the DevOps Engineer’s LastPass corporate vault, they were able to export all manner of potentially useful information.
The support page mentions that as part of the post-attack work being done, the DevOps engineer is being assisted with “hardening the security of their home network and personal resources”.
It’s somewhat remarkable to think that a big chunk of the above LastPass chaos is down to someone running a media player on a system used for work. Or, put another way, LastPass allowing an employee to use a computer with a vulnerable media player for work. We don’t know if it was a work machine, or a home machine, but the two look very alike these days, with home devices used to access the office, and work devices used for non-work activities.
There is a grey area here, then, in terms of whether using a personal device for work should have been subject to “acceptable / unacceptable” software installation decisions by IT. Considering the severity of this particular attack, there’s probably a good case for it.
What to do if you’re a LastPass user
At the moment, there is nothing you need to do if you have already followed the advice during the December breach reveal. However, if you are only now finding out about the various LastPass breaches:
- Change your master password and then begin changing the logins inside your vault as soon as possible, starting with the most important.
- Start using multi-factor authentication (MFA) to make your account immune to similar compromises in future. LastPass supports several kinds of MFA.
How to work from home securely
- Use devices supplied or approved by your employer. This ensures your machine meets your security team’s requirements.
- Use a VPN to connect to the office network. A corporate VPN protects traffic from prying eyes as it travels over the Internet.
- Change your router password. Don’t rely on the default password your router shipped with—these often end up in long lists online.
- Keep software up to date. If your employer is unable to update your software automatically, you’ll have to do it. Don’t ignore those popups telling you that an update is available.
- Use effective endpoint protection. Malwarebytes Endpoint Protection detects malware like keyloggers, and is designed to be easy to deploy and administer on remote machines.
For more information about working from home securely, read our security tips for working from home.
Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.