Incident Details
| Victimized Company: | LastPass |
| Incident Dates: | 2022-08-08 to 2022-10-26 |
| Disclosure Date: | 2022-12-22 |
| Current Status: | Threat Actor unknown |
LastPass
In 2022, LastPass suffered a series of breaches, eventually leading to customer password vaults being taken. This incident is notable because it is the first time we’ve seen evidence that a threat actor targeted a specific employee’s home network to capture privileged cloud credentials.
Incident
Details of the Incident
LastPass published two detailed incident reports from the August and December Incidents.
In August of 2022, an unknown party compromised a developer’s corporate laptop to access non-production environments and source code repositories. “Some of these source code repositories included cleartext embedded credentials, stored digital certificates related to our development environments, and some encrypted credentials used for production capabilities such as backup.”1
The employee laptop’s “Endpoint Detection Response (EDR) agent, … was tampered with and was not triggered during the initial activity.”1
Per LastPass’s disclosures, their production environment was on-prem, and only their non-production was “cloud-based”. No customer data was exposed in the August incident. However,
“The second incident saw the threat actor quickly make use of information exfiltrated during the first incident, prior to the reset completed by our teams, to enumerate and ultimately exfiltrate data from the cloud storage resources.”2
The “threat actor targeted one of the four DevOps engineers who had access to the decryption keys needed to access the cloud storage service. This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s [LastPass] master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”
“Ultimately AWS GuardDuty Alerts informed us of anomalous behavior as the threat actor attempted to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.”
Timeline
| Date | Event |
|---|---|
| August 8th, 2022 | Threat-actor activity began. |
| August 12th, 2022 | LastPass detects “unusual activity” in their development environment. |
| August 13th, 2022 | Mandiant was engaged to assist in the IR process. |
| August 25th, 2022 | LastPass discloses that “an unauthorized party” “took portions of source code and some proprietary LastPass technical information”. No customer vaults were impacted. |
| August 12th to October 26th, 2022 | The threat actor “was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment”2 |
| December 22nd, 2022 | LastPass discloses that “an unknown threat actor accessed a cloud-based storage environment” and “The threat actor was also able to copy a backup of customer vault data”. |
| January 3rd, 2023 | Class Action Suit filed in the US District Court of Massachusetts |
| March 1st, 2023 | LastPass discloses how the threat actor compromised both engineers to execute both the first and second incidents. |
| September 5th, 2023 | Brian Krebs reports that more than US$35 Million in Crypto have been stolen from over 150 individuals. |
Attribution / Perpetrator
Per the March 1st disclosure:
“the identity of the threat actor and their motivation remains unknown. There has been no contact or demands made, and there has been no detected credible underground activity indicating that the threat actor is actively engaged in marketing or selling any information obtained during either incident.”3
Summary of coverage
- LastPass: Original disclosure from Aug 2022 - August 25, 2022
- LastPass: Notice of Recent Security Incident - December 22nd, 2022
- ArsTechnica: LastPass users: Your info and password vault data are now in hackers’ hands - December 22, 2022
- Class Action Lawsuit filing - January 3, 2023
- ArsTechnica: LastPass says employee’s home computer was hacked and corporate vault taken - February 27, 2023
- LastPass: Security Incident Update and Recommended Actions - March 1, 2023
- LastPass: Incident 1 Report - undated support post
- LastPass: Incident 2 Report - undated support post
- Krebs on Security: Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach
Cloud Security Implications of this incident.
A number of cloud security lessons jump out from LastPass’s two incident reports:
- LastPass had clear-text credentials in their source code which were used to conduct the second, more serious attack.
- Per the August disclosure, they then “deployed a market-leading Cloud Security Posture Management (CSPM)” indicating they may not have had one before.
- Per the August disclosure, they “restricted and removed access of engineers/developers to the underlying cloud platform”, indicating they may have had more people with access than necessary.
- “The threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, which initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity.”
- Based on the December incident report, LastPass was using long-term access keys and IAM Users and had a number of inactive development IAM users.
A few other incident response things to note:
- Per the August disclosure, the attacker had a four-day dwell time before detection.