![]() The threat actor was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment spanning from Augto October 26, 2022.Īs it turns out, another recently published document is more specific: In particular, this doesn’t really help understand the timeline: Other than that, we learn fairly little from the LastPass statement. That would mean that the attackers already had admin access to the media server. ![]() Update (): According to PCMag, Plex learned that the vulnerability abused here was actually CVE-2020-5741 from 2020. We can confirm that the engineer was running an earlier, unpatched version of Plex Media Server on the engineer’s home computer. Update (): Dan Goodin, the journalist behind the article above, got a definitive statement from LastPass confirming my speculations: Yes, allowing an employee to access company secrets from a computer where they also run an at least four years old Plex version that is directly accessible from the internet – that’s pretty damning. The former is unlikely to have been exploited because it requires an authenticated attacker, which leaves us with a vulnerability from 2018.Īnd that certainly explains why LastPass wouldn’t mention the specific vulnerability used. Plex has two known vulnerabilities potentially allowing remote code execution: CVE-2019-19141 and CVE-2018-13415. However, Ars Technica quotes an anonymous source claiming that the software in question was Plex media server. LastPass would certainly mention it if they did, as it supports their case of being overrun by highly sophisticated attackers. LastPass does not mention either the software or the vulnerability, yet I highly doubt that the attackers burned a zero-day vulnerability. as part of the Bring Your Own Device (BYOD) policy – what kind of security measures were in place to prevent compromise?Īlso, in another transparent attempt to shift blame LastPass mentions a vulnerability in a third-party media software which was supposedly used for this compromise. While LastPass makes it sound like the employee’s fault, one has to ask: what kind of security policies allowed an employee to access highly critical company assets from their home computer? Was this kind of access sanctioned by the company? And if yes, e.g. Once this engineer used their home computer to log into the corporate LastPass vault, the attackers were able to access all the data. So they specifically targeted one of these DevOps engineers and infected their home computer with a keylogger. The attackers learned about that when they initially compromised LastPass in August 2022. These keys were stored in the LastPass’ own corporate LastPass vault, with only these four people having access. The “Timeline of the breach” section has been rewritten accordingly.Īccording to LastPass, only four DevOps engineers had access to the keys required to download and decrypt LastPass backup data from Amazon Web Services (AWS). So the breach affects LastPass users who had an active LastPass account between August 20 and September 16, 2022. ![]() Update (): I found additional information finally explaining the timeline here. In fact, the attackers might be able to decrypt company data without using any computing resources on bruteforcing master passwords. Also, contrary to what LastPass claimed originally, business customers using Federated Login Services are very much affected by this breach. TL DR: The breach was helped by a lax security policy, an employee was accessing critical company data from their home computer. If you look closely, the article again carefully avoids making definitive statements. Until yesterday they published an article with details of the breach. Some of the failures to protect users only became apparent after some time, such as many accounts configured with a dangerously low password iterations setting, the company hasn’t admitted them to this day.ĭespite many questions being raised, LastPass maintained strict radio silence since December. making wrong claims about the protection level provided by the encryption. This statement was highly misleading, e.g. It took until December 2022 for LastPass to admit losing their users’ partially encrypted vault data. Half a year after the LastPass breach started in August 2022, information on it remains sparse.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |