The breach ultimately exposed encrypted password vaults (“the crown jewels of any password manager” as Wired puts it) along with other user data and the hackers would have subsequently been able to take their time offline working on cracking target passwords, which with sufficient levels of compute is often simple. LastPass does not explicitly say whether the threat vector was an unpatched and unmanaged BYOD device (if so, it has serious questions to ask) or the “vulnerable third-party media software package” whilst this could have been an unpatched Adobe product, for example, access could also conceivably have come via an unpatched router The Stack is requesting further details from LastPass – which says it has since “assisted the DevOps Engineer with hardening the security of their home network and personal resources.” “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.” LastPass data breach: Firm “hardening security” of engineer’s home network The incident shows the persistence and ingenuity of determined attackers, who – having apparently identified that just four engineers had access to the decryption keys and targeted one – exploited “a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware” on the DevOps engineers home machine LastPass said this week. The incident came as the hackers escalated an earlier breach that had seen them gain initial access to LastPass’s AWS resources, but not the decryption keys that they needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups. Threat actors breached a LastPass engineer’s home computer and used a keylogger to steal his “master password” - after tailgating him into protected corporate resources when he logged in by MFA-protected VPN.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |