LastPass revealed more information about a “second coordinated attack”, where a malicious actor accessed and stole data from Amazon AWS cloud storage servers for over two months.

Last pass revealed an offense in December, where threat actors stole partially encrypted password vault data and customer information.

The company has now revealed how the threat actors executed this attack, stating that they used information stolen in August breachinformation from another data breach and a remote code execution vulnerability to install a keylogger on a senior DevOps engineer’s computer.

LastPass says this second coordinated attack used data stolen from the first breach to gain access to the company’s encrypted Amazon S3 buckets.

Since only four LastPass DevOps engineers had access to these decryption keys, the threat actor targeted one of the engineers. Ultimately, the hackers managed to install a keylogger on the employee’s device by exploiting a remote code execution vulnerability in a third-party multimedia software package.

“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the employee’s LastPass corporate vault. the DevOps engineer,” reads one new security advisory published today.

“The threat actor then exported the company’s native vault entries and the contents of the shared folders, which contained secure notes encrypted with the access and decryption keys needed to access the production backups. AWS S3 LastPass, other cloud-based storage resources, and certain related critical database backups.”

The use of valid credentials made it difficult for corporate investigators to detect the threat actor’s activity, allowing the hacker to access and steal data from storage servers in LastPass cloud for more than two months, between August 12, 2022 and October 26, 2022.

LastPass eventually detected the anomalous behavior via AWS GuardDuty alerts when the threat actor attempted to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.

The company says it has since updated its security posture, including rotating sensitive credentials and authentication keys/tokens, revoking certificates, adding additional logging and alerting, and enforcement of stricter security policies.

A large amount of data has been accessed

As part of today’s disclosure, LastPass released more detailed information about the customer information stolen in the attack.

Depending on the particular customer, this data is wide and varied, ranging from Multi-Factor Authentication (MFA) seeds, MFA API integration secrets, and split knowledge component key (“K2”) for customers federated salespeople.

A full list of stolen data is below, along with a more detailed and easier to read table about it. support page.

Summary of data accessed in Incident 1:

• On-demand, cloud-based development and source code repositories – this included 14 of the 200 software repositories.

• Internal repository scripts – these contained secrets and LastPass certificates.

• Internal documents – technical information describing how the development environment works.

Summary of data accessed during Incident 2:

• DevOps Secrets – restricted secrets that were used to access our cloud-based backup storage.

• Cloud-based backup storage – contained configuration data, API secrets, third-party integration secrets, client metadata, and backups of all client vault data. All sensitive Customer Vault data, other than URLs, paths to installed LastPass Windows or macOS software, and certain use cases involving email addresses, has been encrypted using our zero-knowledge model and can only be decrypted with a unique encryption key derived from each user’s master password. . As a reminder, end user master passwords are never known to LastPass and are not stored or maintained by LastPass. Therefore, they were not included in the exfiltrated data.

• LastPass MFA/Federation Database Backup – contained copies of the LastPass Authenticator seeds, phone numbers used for the MFA backup option (if enabled), and a fractional knowledge component (the K2 “key”) used for LastPass federation (if enabled ). This database was encrypted, but the separately stored decryption key was included in the secrets stolen by the threat actor in the second incident.

Not all of today’s support bulletins are easy to find, with none of them listed in search engines, the company added. <meta name="robots" content="noindex"> HTML tags the document to prevent it from being indexed by search engines.

LastPass also released a PDF titled “What steps should you take to protect yourself or your business“, which contains additional steps that customers can take to protect their environment.