Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Privacy

LastPass Says Home Computer of DevOps Engineer Was Hacked (securityweek.com) 64

wiredmikey shares a report from SecurityWeek: Password management software firm LastPass says one of its DevOps engineers had a personal home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud storage resources. LastPass on Monday fessed up a "second attack" where an unnamed threat actor combined data stolen from an August breach with information available from a third-party data breach, and a vulnerability in a third-party media software package to launch a coordinated attack. [...]

LastPass worked with incident response experts at Mandiant to perform forensics and found that a DevOps engineer's home computer was targeted to get around security mitigations. The attackers exploited a remote code execution vulnerability in a third-party media software package and planted keylogger malware on the employee's personal computer. "The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer's LastPass corporate vault," the company said. "The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups," LastPass confirmed.
LastPass originally disclosed the breach in August 2022 and warned that "some source code and technical information were stolen."

SecurityWeek adds: "In January 2023, the company said the breach was far worse than originally reported and included the theft of account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information."
This discussion has been archived. No new comments can be posted.

LastPass Says Home Computer of DevOps Engineer Was Hacked

Comments Filter:
  • So much wrong... (Score:4, Informative)

    by Anonymous Coward on Monday February 27, 2023 @09:22PM (#63328921)

    So much wrong with this, it isn't even funny:

    1: "Personal home computer". Why is someone using their personal stuff to connect to a high-value target.

    2: No VDI. There is a level of security where moving to a VDI is a must, just to prevent data exfiltration. It does allow RATs and keyloggers, but at least it will keep ransomware from happening. VDI also ensures people authenticate with two factors.

    3: Why was none of this protected with a timeout?

    4: Where is the EDR/XDR/MDR which would detect keyloggers and data being exfiltrated?

    The big problem with this entire thing was that stuff was accessed via a personal computer. It should have been on a company owned computer that has AppLocker on it to ensure that third party stuff doesn't run without authorization from IT.

    • by klipclop ( 6724090 ) on Monday February 27, 2023 @09:34PM (#63328949)
      There's so much wrong if you are using Lastpass still too.. I stopped using their garbage service over 10yrs ago and now use KeePass and nextcloud for access across multiple devices.. I highly recommend people not put high value info (i.e work or financial services accounts) in something like Lastpass...
      • by Ksevio ( 865461 )

        How many instances of passwords being stolen from lastpass users have there been?

        • by gweihir ( 88907 )

          Nobody knows. As this product should now be banned in any somewhat professionally run software landscape, it will likely be mostly private users. And there are no statistics on them that are precise enough.

          • by Ichijo ( 607641 )

            this product should now be banned in any somewhat professionally run software landscape

            So you think it's safer to go with a company that has not yet been hacked. [wikiquote.org]

            Best of luck!

            • by flink ( 18449 )

              KeePass doesn't store your password vault in an S3 bucket with a million other people's password vaults, so there is nothing to hack. It's stored locally on your computer. It's as secure as your personal device + how strong of a passphrase you use to protect your key.

              The difference is not throwing your lot in with a million other people and presenting a large target. Sure, if a sophisticated hacker is after you in particular, as was the case with this poor Dev Ops guy, then you are probably fucked, but c

              • by eepok ( 545733 )

                Honest question: A person has a home desktop, a home laptop, and a personal phone. If you are required to change a password for one of your systems (30-day switch requirement) while you're trying to log in on your phone, what do you do with KeePass to ensure that your new 25-character PW is available on your laptop and desktop?

                • by Ksevio ( 865461 )

                  Obviously you should set up a home linux server and sync to that!

                • The KeePass app of your choice on the phone directly opens a cloud stored copy of the database so the new password is immediately changed there.

                  On the PC you configure triggers on database unlock, as well as save which sync the local copy and cloud copies. The cloud copies are automatically synced with DropBox, OneDrive, Google Drive, etc from their desktop apps. So the next time KeePass is unlocked, the password change would be pulled down to the local PC's copy.

                  You could run into issues if you attempt to

            • No. It is the way LastPass keeps lying about their breach, and the way they have no fucking controls over what a developer does, and everything else that shows that LogMeIn doesn't give a shit about your security. Please try to keep up.
          • by eepok ( 545733 )

            Nobody knows.

            Well, that's not rational, is it? If you don't know something, you have to assume the worst?

            As this product should now be banned in any somewhat professionally run software landscape

            That assertion surprised me, so I've tried looking it up. I can't find it anywhere. Which companies have banned the use of Lastpass?

          • by Ksevio ( 865461 )

            Why would it be banned in a professionally run software landscape? I figure for larger companies, they'd probably want to run their own key stores (similar to how they might run a build or email server), but there are lots of little companies that use third party tools like Atlassian or Microsoft for their infrastructure that it seems like it'd still be a good fit for

        • by AmiMoJo ( 196126 )

          It's difficult to know. It's like cancer, attributing it to one company's cigarettes, or air pollution, or that time you got sunburned, or the leak from the local nuclear plant, it pretty much impossible.

    • by Slayer ( 6656 )

      Add to this:

      5. "remote code execution vulnerability in a third-party media software package": it tells me, that this person's box was accessible from the internet, and at the same time hosted the credentials to access production servers.

      There's so much fail in this situation .... it's sure going to be the final nail in their coffin, just like with solarwinds [bleepingcomputer.com] ... ? oh, well ...

      • by EvilSS ( 557649 )
        From what I read elsewhere, the "third-party media software package" was Plex, so yea, probably had it setup with open ports.
  • by Xpendable ( 1605485 ) on Monday February 27, 2023 @09:32PM (#63328941)
    ... Of every corporation that gets breached these days is to not admit it is as bad is it is. They know it is far worse but they pretend it's not. Eventually it becomes known the breach was far worse than originally stated. Pretty much every breach now is worse than what the victim initially states.
    • by gweihir ( 88907 )

      And that is why you put reporting requirement and pretty bad penalties for lying in place.

    • by eepok ( 545733 )

      It's SOP for every experienced organization to never state something worse than it is, but you also can't describe the full extent of the problem until you complete the investigation.

      Could you imagine if LastPass were to come out and say, "We don't know what was taken or how it was taken. Heck, even our DevOps home computers could be attack vectors." What do you think would happen next?

      No, instead you focus on solving the problem and deal with media releases later. You're much better off dealing with custom

  • by dicobalt ( 1536225 ) on Monday February 27, 2023 @09:44PM (#63328963)
    Home computer accessing corporate data? In some instances that's not even legal, healthcare and banking being the most obvious. Lastpass is going to have a very rough time in front of them.
    • by AmiMoJo ( 196126 )

      I've seen it happen when the company doesn't provide adequate IT equipment. People only have so much space at home, and KVMs are expensive... Sounds ridiculous but I've seen it done.

      • by saider ( 177166 )

        Any company that has a "Bring Your Own Technology" policy is asking for this trouble.

    • Didn't LastPass get bought by LogMeIn, the company famous for helping people get around their companies' firewalls?

      Regardless, with that job expect to be targeted by nation-state actors and be hit with 0-days.

      In-band keyboard password entry is not good enough.

      • Didn't LastPass get bought by LogMeIn, the company famous for helping people get around their companies' firewalls?

        Regardless, with that job expect to be targeted by nation-state actors and be hit with 0-days.

        In-band keyboard password entry is not good enough.

        nation-state actors indeed.

        In this case, no one has even remotely suggested just which APT might be involved, on behalf of which nation-state actor.
        And the access seems extremely... tailored.
        This is a massive hint.

    • by eepok ( 545733 )

      If accessing corporate data from your personal computer was allowed, that's a problem.
      If accessing corporate data from your personal computer was not allowed, LastPass didn't provide a work computer from home, and the employee was expected to work from home, then that's a problem.

      If the employees wasn't allowed to connect from a personal computer and did so anyway, then that's a relatively easy fix in policy enforcement within LastPass.

      The big elephant in the room is that LastPass centralizes security for a

    • Home computer accessing corporate data? In some instances that's not even legal, healthcare and banking being the most obvious.

      Can't speak for legal or banking, but I'm quite certain that there isn't a blanket ban on employees of health systems accessing healthcare data from personal devices. I'd be very interested in being corrected if there are jurisdictions that do impose such restrictions.

  • by backslashdot ( 95548 ) on Monday February 27, 2023 @10:28PM (#63329015)

    They didn't fire him, but told him sternly that this was his last pass.

  • That probably means it was 'one of ours', or else the media etc would be falling over themselves to point at Russia, China, North Korea or Iran.
    We have always been at war with Eastasia.

    • Given the slow drip of information from LastPass on this, they might not be pointing fingers because they don't have solid details yet. I mean they aren't even naming the media software that was affected which seems a much lower bar to clear than potentially which nation-state (if any) was involved.

    • 'one of ours'

      But often, 'one of ours' sells the info that they harvest on some dark market. And the buyers are not infrequently 'one of theirs'.

  • by GFS666 ( 6452674 ) on Monday February 27, 2023 @11:39PM (#63329089)
    My work recently started using LastPass as a means for people to not have to "remember" their passwords. And the work IT department cheerfully let us know that they have paid for all of us to get a LastPass subscription for our personal Home Computers as well! Thankfully, I knew that no computer system is hack proof, ESPECIALLY computer systems that store passwords, so I have not used it either for work or home computers. Glad I did.
    • by Anonymous Coward

      Thankfully, I knew that no computer system is hack proof, ESPECIALLY computer systems that store passwords, so I have not used it either for work or home computers.

      Right choice, wrong reason.

      "Security" isn't a true/false value.
      "Secure" is one end of a scale, where the other end is "convenience", when one goes up the other goes down equally.

      "Being secure" is choosing the right balance for a given situation.
      100% secure means 0% convenient, meaning even you couldn't access your stuff.
      0% secure means 100% convenient, meaning even the attempt to determine if it is you is too much hassle and all your stuff should be given out freely to anyone.

      Neither absolute is useful, any

  • Why the hell is a Lastpass employee using a personally-owned computer to do work for the company? Why does Lastpass even allow non-company computers to access company resources???

    Where I work, that shit will get you fired instantly.

    Poor practices all around...

    • You're correct in principle.

      But I can tell you when the company I worked for was bought out, they stopped stopped supporting Linux and issued us Macs (or Windows machines with secureboot so you can't put Linux on it).

      So, I just used my personal Linux machine from then on.

      So, the socio-technical aspect is much more complicated than "don't allow personal machines".

      • Aww, you are so special. Seriously, if you can't abide by your corporate security policies, you go find a new job. If you bypass your corporate security policies, you deserve to be fired.
        • If my employer doesn't care about my needs, then I don't care about theirs. They're the ones who came in and changed shit.

          Also, you angry fuckwit, I told my manager what I was doing.

  • The Security Community (rolls eyes) and the PaaS guys want Zero trust + DevOps + IaC to work so badly they can't see the very plain reality

    - You are extending privileges to persons that are increasingly unknown to you.

    - You are extended privileges to organizations with increasingly opaque internal procedures, or maybe procedures that you would not really except if you had much choice but don't like Azure or AWS hiring policy well to bad where you gonna go?

    - You are probably trusting clients which you really

    • by flink ( 18449 )

      Zero trust does not mean you literally trust no one. It just means your apps/servers don't accept unauthenticated inputs, even from other devices on the local network. The level of trust to assign to a given interaction depends on the identity of the caller and the credentials presented to prove that identity.

      Zero trust will not save you from having bad policies. LastPass should not have allowed personal devices to authenticate to their VPN, and beyond that should have required the use of a locked-down j

      • by DarkOx ( 621550 )

        I understand zero trust means no unauthenticated connections as opposed to the old perimeter trust model

        - hey you are on this network so you must be ok

        Zero trust will not save you from having bad policies. LastPass should not have allowed personal devices to authenticate to their VPN

        And you *know* its a personal device vs corporate device how? Right be you asked it, and it said my name is... Sure that will be under piles of obfuscation but that is essentially it.

        but but but . it has a client certificate, yes so all you have proven REALLY is that you sent out a corporate device with client cert on it at one time, you HOPE that certificate

  • Attacking a "Password management software firm" is brilliant. There have been other successful attacks-on-tools but a *password* company is a genius high-value target. The leverage!
  • I used lastPass for years on the suggestions of my brother who is a security researcher, well he should have done more research as this company has had so many security breaches of their own for not following good protocol. I stopped using Last pass back in Dec following the news of their "big" hack and loss of customer data, that they could still have THIS incident occur after it is just the icing on the proverbial cake.

Computers are not intelligent. They only think they are.

Working...