LastPass, which in December 2022 disclosed a severe data breach that allowed threat actors to access encrypted password vaults, said it happened as a result of the same adversary launching a second attack on its systems.
The company said one of its DevOps engineers had their personal home computer hacked and infected with a keylogger as part of a sustained cyber attack that exfiltrated sensitive data from its Amazon AWS cloud storage servers.
"The threat actor leveraged information stolen during the first incident, information available from a third-party data breach, and a vulnerability in a third-party media software package to launch a coordinated second attack," the password management service said.
This intrusion targeted the company's infrastructure, resources, and the aforementioned employee from August 12, 2022, to October 26, 2022. The original incident, on the other hand, ended on August 12, 2022.
The August breach saw the intruders accessing source code and proprietary technical information from its development environment by means of a single compromised employee account.
In December 2022, LastPass revealed that the threat actor leveraged the stolen information to access a cloud-based storage environment and get hold of "certain elements of our customers' information."
Later in the same month, the unknown attacker was disclosed as having obtained access to a backup of customer vault data that it said was protected using 256-bit AES encryption. It did not divulge how recent the backup was.
GoTo, the parent company of LastPass, also fessed up to a breach last month stemming from unauthorized access to the third-party cloud storage service.
Now according to the company, the threat actor engaged in a new series of "reconnaissance, enumeration, and exfiltration activities" aimed at its cloud storage service between August and October 2022.
"Specifically, the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud storage environment," LastPass said, adding the engineer "had access to the decryption keys needed to access the cloud storage service."
This allowed the malicious actor to obtain access to the AWS S3 buckets that housed backups of LastPass customer and encrypted vault data, it further noted.
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
The employee's passwords are said to have been siphoned by targeting the individual's home computer and leveraging a "vulnerable third-party media software package" to achieve remote code execution and plant a keylogger software.
"The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer's LastPass corporate vault," LastPass said.
LastPass did not reveal the name of the third-party media software used, but indications are that it could be Plex based on the fact that it suffered a breach of its own in late August 2022.
In the aftermath of the incident, LastPass said it upgraded its security posture by rotating critical and high privilege credentials and reissuing certificates obtained by the threat actor, and that it applied extra S3 hardening measures to put in place logging and alerting mechanisms.
LastPass users are highly recommended to change their master passwords and all the passwords stored in their vaults to mitigate potential risks, if not done already.
Plex shared the following statement with The Hacker News after the publication of the story -
We have not been contacted by LastPass so we cannot speak to the specifics of their incident. We take security issues very seriously, and frequently work with external parties who report issues big or small using our guidelines and bug bounty program. When vulnerabilities are reported following responsible disclosure we address them swiftly and thoroughly, and we've never had a critical vulnerability published for which there wasn't already a patched version released. And when we've had incidents of our own, we've always chosen to communicate them quickly. We are not aware of any unpatched vulnerabilities, and as always, we invite people to disclose issues to us following the guidelines linked above. Given recent articles about the LastPass incident, although we are not aware of any unpatched vulnerabilities, we have reached out to LastPass to be sure.