comfortvur.blogg.se

Of course, it’s possible that the company was just a stepping stone to another target – the interconnectedness of services and companies has reached such levels that third-party supply chain compromises have become practically ordinary. The company says that they still don’t know the identity of the attacker and their motivation: “There has been no contact or demands made, and there has been no detected credible underground activity indicating that the threat actor is actively engaged in marketing or selling any information obtained during either incident.”

“The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups,” LastPass added.

Gaining access to the engineer’s LastPass corporate vault.

Using that capability to implant a keylogger, which captured the employee’s master password (after the employee authenticated with MFA).

Targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package (Plesk, according to an Ars Technica source) to be able to remotely execute code remote code.

How did the attacker do it? As it turns out, they stole access credentials from a senior DevOps engineer by: “The second incident saw the threat actor quickly make use of information exfiltrated during the first incident, prior to the reset completed by our teams, to enumerate and ultimately exfiltrate data from the cloud storage resources,” the company explained. The second incident went initially unnoticed, LastPass says, the tactics, techniques, and procedures (TTPs) and the indicators of compromise (IOCs) of the second incident “were not consistent with those of the first.” It was only later determined that the two incidents were related. Getting into the LastPass corporate vault The results of both breaches are catastrophic and the list of data and secrets stolen/compromise as a result is extensive. LastPass is, once again, telling customers about a security incident related to the August 2022 breach of its development environment and subsequent unauthorized access to the company’s third-party cloud storage service that hosted backups: “The threat actor leveraged information stolen during the first incident, information available from a third-party data breach, and a vulnerability in a third-party media software package to launch a coordinated second attack.”