LastPass publishes final analysis of hack into password infrastructure
LastPass has notified its business customers via email that it has finished the analysis of the 2022 hack of its password infrastructure.
The company confirmed that it suffered a security breach in August 2022. What looked like a minor incident first, resulted in a second breach later in 2022. In that second hack, customer data was stolen. This included user vault data, which contained all the stored passwords, notes and other private information of LastPass customers.
Users were asked to change all their passwords stored by the service at once, as the threat actors had all they needed in their possessions to decrypt password vaults and gain access to all stored passwords.
LastPass hack: the final analysis
LastPass confirms now that it has completed the investigation of the 2022 hack of its infrastructure. The information is available here, but there is no blog post or official announcement about it yet on the site.
LastPass reiterates that the two hacks were not "caused by any LastPass product defect or unauthorized access to - or abuse of - production systems". The threat actor used a vulnerability to gain access to non-production development and backup storage environments.
The summary of the first incident provides details on what happened. According to LastPass, the corporate laptop of a software engineer was compromised; this allowed the threat actor to gain access to a cloud-based development environment. They managed to copy source code data, technical information and "certain LastPass internal system secrets". Customer data or vault data was not obtained during the first hack.
LastPass deployed additional security technologies and controls in response to the incident, removed the development environment and created it from scratch anew, and "rotated all relevant cleartext secrets" and exposed certificates".
The second LastPass hack
The threat actor used information obtained during the first hack to target "a senior DevOps engineer", again by exploiting vulnerable third-party software, according to LastPass' post.
The vulnerability was used to deploy malware, bypass controls and gain access to cloud backups. Data from those backups included "system configuration data, API secrets, third-party integration secret, and encrypted and unencrypted LastPass customer data.
In a second support document, LastPass confirms that the threat actor was able to copy LastPass customer vault data backups for five different dates: August 20, 2022, August 30, 2022, August 31, 2022, September 8, 2022, and September 16, 2022.
The data is stored in aggregated format, BLOBs, which consist "of collections of binary strings separated into designated sections". These are not "representative of the complete assembled 'vaults' that are rendered as human-readable form within each customer's LastPass client".
BLOBs contain encrypted and decrypted data according to LastPass.
Encrypted fields in the vault:
- Site name, site folder, site username and history, site password and history, site note content, encrypted TOTP secret, custom fillable form-field, custom fillable form-field content.
- Secure notes name, folder, attachment file name, attachment, encrypted attachment encryption key, note content.
- Group names, encrypted sharing keys, encrypted super admin sharing key.
The customer database contained unencrypted information.
- Business customer and teams data: billing address, company name, EIN/Tax ID, email address, end user name, IP address, telephone number, mobile device unique identifier, PBKDF2 SHA256 Iterations.
- Home users: billing address, email address, end user name, IP address, telephone number, mobile device unique identifier, PBKDF2 SHA256 Iterations
LastPass notes what the threat actor could do with the obtained data and information:
"The threat actor may attempt to brute force and decrypt the copies of the vault data they took. Our Zero Knowledge encryption architecture is designed to protect customers’ sensitive information to defend against attempts to brute force encrypted data. The threat actor may also use some of this data to target customers with phishing attacks, credential stuffing, or other social engineering attacks against online accounts associated with their LastPass vault."
What LastPass has done to strengthen security
LastPass deployed "several new security technologies" across its infrastructure as a response. The company says that it has "prioritized and initiated significant investments in security, privacy, and operational practices", performed a "comprehensive review" of security policies and has "incorporated changes to restrict access and privilege.
The company hired new leaders and has enhanced its investment in security "across people, processes and technology".
LastPass plans to update password iterations to 600K for new and existing customers. URL and URL-related fields will be encrypted in the future, which they are not right now, and other improvements. The company plans to introduce Argon2 support in the near future as well.
Closing Words
LastPass states that it was not approached by the threat actor and that it is not aware of attempts to sell the data on the dark web. For customers, it is still essential that the master password and all stored passwords are changed, as the threat actor may brute force vaults to gain access to passwords.
Now You: were you affected by the incident?
Has anyone asked LastPass about the “SuperAdmin” role? If you read their documents around this process, when an admin is elevated to the “SuperAdmin” role a private/public key pair is generated. The private key is proteted by the SuperAdmins symmetric key (aka “master password”) and stored in the respective users vault. Then as users of the organization log into the web browser extension their respective decryption key is encrypted with the public key of the SuperAdmin so they can reset/recover the users password vaults. As an atttacker, you can then micro focus on “SuperAdmin” roles as gaining access to their “MasterPasswords” grants you access to all user accounts under that organization. I see no mention of this process in any of the breach suggestions. All I see is plausible deniability and lack of full ownership by LastPass. They believe their encryption process is bulletproof based on their statements. If you read these articles closely, I feel the marketing team had way too much influence in the response. All users should change their “master passwords”. All organizations should notify their users of the break and the likely hood that phishing campaigns will follow based on the the amount of data that was not encrypted by LastPass. How can we rotate SuperAdmin private/public keys? Why has LastPass not recommended that all individual passwords stored within each user’s account is changed? I
“LastPass plans to update password iterations to 600K for new and existing customers. URL and URL-related fields will be encrypted in the future, which they are not right now, and other improvements. The company plans to introduce Argon2 support in the near future as well.”
In other words, LP plans for their closed-source payware product to, at some point in the future, do what the better free, open-source, not-repeatedly-successfully-hacked PW managers already do.
KeePass for me.
Martin you left out the spicy details:
>”This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware.”
There are a lot of things that don’t check out. For an RCE you still need to run the code manually like accessing a link to the exploit, i.e. be phished into doing the clicking. They are keeping some interesting details out of their analysis. Until they are fully disclosing how it happened I do not trust them personally.
Speculation/Assumption: They somehow knew who to target after the 1st breach to make the 2nd happen or they planted code. Who knows? They are not telling us!
Not that I require to trust them, my passwords are local in KeePassXC.
[https://infosec.exchange/@dangoodin/109939997666460592]
Dan Goodin says it was Plex.
Hah! Why is plex running on a devops machine? Do they have no policies what software is allowed to run on critical infrastructure? Most companies will not let you work from home on anything but a company laptop clean of entertainment software.
Boi I have so many questions now :^)
The hacker compromised two people (in this round). The second employee not learning from the first was unforgivable. They all should have learnt from earlier attacks that cracking LastPass would be a major coup.
Unlike many companies, at least LastPass came clean with the public despite the tarnished image they suffer. For that they deserve credit. Put that in the context of a message I once received advising “our server was accessed two years ago…”
Some companies just shut up and pay. They trust criminals that may have your sensitive data to keep a promise!