Unpacking LastPass Incident 2: Tactics, Techniques, and Procedures

LastPass, a popular password manager, recently experienced a second cyber attack, even after taking swift action to address the first one. This second attack was a coordinated effort that leveraged information stolen during the first incident, information obtained from a third-party data breach, and a vulnerability in a third-party media software package.

The attacker targeted LastPass infrastructure, resources, and an employee using a variety of tactics, techniques, and procedures that were inconsistent with those of the first incident. However, the attacker was able to pivot from the first incident and engage in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment.

The attacker could gain access to the cloud-based storage resources, including S3 buckets containing backups of LastPass customers and encrypted vault data, by obtaining AWS Access Keys and LastPass-generated decryption keys. The attacker targeted one of the four DevOps engineers with access to the decryption keys by exploiting a vulnerable third-party media software package installed on the employee’s home computer. This allowed the attacker to implant keylogger malware and captured the employee’s master password as it was entered after the employee authenticated with MFA and gained access to the DevOps engineer’s LastPass corporate vault.

To mitigate the risks of future attacks, LastPass took several actions, including rotating critical and high-privilege credentials, enabling multifactor authentication, revoking and re-issuing certificates obtained by the threat actor, analyzing cloud-based storage resources and applying additional hardening measures. They also worked with Mandiant to investigate corporate and personal resources and assist the DevOps engineer with hardening the security of their home network and private resources.

In summary, this incident highlights the importance of being vigilant and proactive in securing sensitive data and infrastructure, even after an initial attack has been addressed. LastPass took swift action to contain the second attack and is taking additional measures to protect its customers. Customers are advised to review the recommended steps to protect themselves and their businesses.