Stolen data used to gain access in second breach No customer data or vault data was stolen during this incident, as LastPass did not have any customer or vault data in the development environment. In the first intrusion, in August, a software engineer’s corporate laptop was compromised, allowing the threat actor to gain access to a cloud-based development environment and steal source code, technical information, and certain LastPass internal system secrets, LastPass CEO Karim Toubba said in a blog addressed to customers. The use of valid credentials made it difficult for the company's investigators to detect the threat actor's activity. The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups. "The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gain access to the devops engineer's LastPass corporate vault," LastPass said.
LastPass engineer's master password stolen The developer whose home computer was infected with the keylogger was only one of four devops engineers in the company who had access to the decryption keys of encrypted Amazon S3 buckets. There has been no activity by the threat actor after October 26, the company added. While proximal in terms of timeline, it was not initially obvious that the two incidents were directly related,” LastPass said in its update. “The observed tactics, techniques, and procedures (TTPs), as well as the indicators of compromise (IOCs) of the second incident were not consistent with those of the first. However, LastPass now says that the threat actor was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activity aimed at the company's the cloud storage environment from August 12 to October 26, 2022.
The first intrusion ended on August 12 last year.
0 kommentar(er)
