There’s no date on the update, but as far as we can make out, LastPass just [2023-02-27] published a short document entitled Incident 2 – Additional details of the attack.
As you probably remember, because the bad news broke just before the Christmas holiday season in December 2022, LastPass suffered what’s known in the jargon as a lateral movement attack.
Simply put, lateral movement is just a fancy way of saying, “Once you get into the lobby, you can sneak into a dark corner of the security office, where you can wait in the shadows until the guards get up to make tea, when you can grab an access card from the shelf next to where they usually sit, which will get you into the secure area next to the cloakroom, where you’ll find the keys to the safe.”
The unknown unknowns
As we’ve previously described, LastPass spotted, in August 2022, that someone had broken into their DevOps (development operations) network and run off with proprietary information, including source code.
But that’s a bit like coming back from vacation to find a side window smashed and your favourite games console missing, with nothing else obviously amiss.
You know what you know, because there’s broken glass on the kitchen floor and a console-shaped gap where your beloved PlayBox-5/360 games device used to be.
But you don’t know, and you can’t easily figure out, what you don’t know, such as whether the crooks diligently scanned-but-replaced all the personal documents in your desk drawer, or took good-quality photos of the educational certificates on the wall, or found copies of your front door key that you’d forgotten you had, or went into your bathroom and used your toothbrush to…
…well, you simply can’t be sure what they didn’t do with it.
Threat actor pivots
In LastPass’s case, the initial breach was immediately followed, as the company now says, by an extended period of attackers poking around elsewhere looking for additional cyberbooty:
The threat actor pivoted from the first incident, which ended on 2022-08-12, but was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment spanning from 2022-08-12 to 2022-10-26.
The burning question, it seems, was, “How was that pivoting possible, given that the needed access credentials were locked up in a secure password vault to which only four developers had access?”
(The word pivot in this context is just a jargon way of saying, “Where the crooks went next.”)
LastPass now thinks it has the answer, and though it’s a bad look for the company to get pwned in this way, we’ll repeat what we said in last week’s podcast promo video in respect of the recent Coinbase breach, where source code was also stolen:
“As simple as the attack was, it would be a bold company that would claim that not one of their users, ever, would fall for this kind of thing…”
Listen now – Learn more!https://t.co/CdZpuDSW2f pic.twitter.com/0DFb4wALhi
— Naked Security (@NakedSecurity) February 24, 2023
Coinbase’s luckless employee got phished, but LastPass’s luckless developer apparently got keylogged, with the crooks exploiting an unpatched vulnerability to get their foothold:
[Access to the vault password] was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.
Sadly, it doesn’t matter how complex, long, random or unguessable your password is if your attackers can simply record you typing it in.
(No, we’re not sure why there was apparently no requirement for 2FA for opening up the corporate vault, in addition to the 2FA used when the employee first authenticated.)
What to do?
- Patch early, patch often, patch everywhere. This doesn’t always help, for example if your attackers have access to a zero-day exploit for which no patch yet exists. But most vulnerabilities never get turned into zero-days, which means that if you patch promptly you will very frequently be ahead of the crooks. Anyway, especially in the case of a zero-day, why leave yourself exposed for a moment longer than you need to?
- Enable 2FA wherever you can. This doesn’t always help, for example if you’re attacked via a phishing site that tricks you into handing over your regular password and your current one-time code at the same time. But it often stops stolen passwords alone being enough to mount further attacks.
- Don’t wait to change credentials or reset 2FA seeds after a successful attack. We’re not fans of regular, forced password changes when there’s no obvious need, just for the sake of change. But we are fans of a change early, change everywhere approach when you know that crooks have got in somewhere.
That rotten thief who stole your games console probably just grabbed it and ran, so as not to get caught, and didn’t waste time going into your bathroom, let alone picking up your toothbrush…
…but we reckon you’re going to replace it anyway.
Now we’ve mentioned it.