[dba-Tech] Last Pass

[Rocky Smolin]

Follow up on the lastpass  breach:

LastPass: DevOps engineer hacked to steal password vault data in 2022
breach (bleepingcomputer.com)
<https://www.bleepingcomputer.com/news/security/lastpass-devops-engineer-hacked-to-steal-password-vault-data-in-2022-breach/>

Executive summary:

The company has now disclosed how the threat actors performed this attack,
stating that they used information stolen in an August breach
<https://www.bleepingcomputer.com/news/security/lastpass-developer-systems-hacked-to-steal-source-code/>,
information from another data breach, and a remote code execution
vulnerability to install a keylogger on a senior DevOps engineer's computer.

LastPass says this second coordinated attack used the stolen data from the
first breach to gain access to the company's encrypted Amazon S3 buckets.

As only four LastPass DevOps engineers had access to these decryption keys,
the threat actor targeted one of the engineers. Ultimately, the hackers
successfully installed a keylogger on the employee's device by exploiting a
remote code execution vulnerability in a third-party media software package.

"The threat actor was able to capture the employee's master password as it
was entered, after the employee authenticated with MFA, and gain access to
the DevOps engineer's LastPass corporate vault," reads a new security
advisory
<https://support.lastpass.com/help/incident-2-additional-details-of-the-attack>
published
today.

"The threat actor then exported the native corporate vault entries and
content of shared folders, which contained encrypted secure notes with
access and decryption keys needed to access the AWS S3 LastPass production
backups, other cloud-based storage resources, and some related critical
database backups."


r