LastPass Says Home Computer of DevOps Engineer Was Hacked

wiredmikey shares a report from SecurityWeek: Password management software firm LastPass says one of its DevOps engineers had a personal home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud storage resources. LastPass on Monday fessed up a "second attack" where an unnamed threat actor combined data stolen from an August breach with information available from a third-party data breach, and a vulnerability in a third-party media software package to launch a coordinated attack. [...]

LastPass worked with incident response experts at Mandiant to perform forensics and found that a DevOps engineer's home computer was targeted to get around security mitigations. The attackers exploited a remote code execution vulnerability in a third-party media software package and planted keylogger malware on the employee's personal computer. "The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer's LastPass corporate vault," the company said. "The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups," LastPass confirmed. LastPass originally disclosed the breach in August 2022 and warned that "some source code and technical information were stolen."

SecurityWeek adds: "In January 2023, the company said the breach was far worse than originally reported and included the theft of account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information."

So much wrong...

[Anonymous Coward]

So much wrong with this, it isn't even funny:

1: "Personal home computer". Why is someone using their personal stuff to connect to a high-value target.

2: No VDI. There is a level of security where moving to a VDI is a must, just to prevent data exfiltration. It does allow RATs and keyloggers, but at least it will keep ransomware from happening. VDI also ensures people authenticate with two factors.

3: Why was none of this protected with a timeout?

4: Where is the EDR/XDR/MDR which would detect keyloggers and data being exfiltrated?

The big problem with this entire thing was that stuff was accessed via a personal computer. It should have been on a company owned computer that has AppLocker on it to ensure that third party stuff doesn't run without authorization from IT.

Re: So much wrong...

[klipclop]

There's so much wrong if you are using Lastpass still too.. I stopped using their garbage service over 10yrs ago and now use KeePass and nextcloud for access across multiple devices.. I highly recommend people not put high value info (i.e work or financial services accounts) in something like Lastpass...

Re:

[Ksevio]

How many instances of passwords being stolen from lastpass users have there been?

Re:

[gweihir]

Nobody knows. As this product should now be banned in any somewhat professionally run software landscape, it will likely be mostly private users. And there are no statistics on them that are precise enough.

Re:

[Ichijo]

this product should now be banned in any somewhat professionally run software landscape

So you think it's safer to go with a company that has not yet been hacked. [wikiquote.org]

Best of luck!

Re:

[flink]

KeePass doesn't store your password vault in an S3 bucket with a million other people's password vaults, so there is nothing to hack. It's stored locally on your computer. It's as secure as your personal device + how strong of a passphrase you use to protect your key.

The difference is not throwing your lot in with a million other people and presenting a large target. Sure, if a sophisticated hacker is after you in particular, as was the case with this poor Dev Ops guy, then you are probably fucked, but c

Re:

[eepok]

Honest question: A person has a home desktop, a home laptop, and a personal phone. If you are required to change a password for one of your systems (30-day switch requirement) while you're trying to log in on your phone, what do you do with KeePass to ensure that your new 25-character PW is available on your laptop and desktop?

Re:

[Ksevio]

Obviously you should set up a home linux server and sync to that!

Re:

[SScorpio]

The KeePass app of your choice on the phone directly opens a cloud stored copy of the database so the new password is immediately changed there.

On the PC you configure triggers on database unlock, as well as save which sync the local copy and cloud copies. The cloud copies are automatically synced with DropBox, OneDrive, Google Drive, etc from their desktop apps. So the next time KeePass is unlocked, the password change would be pulled down to the local PC's copy.

You could run into issues if you attempt to

Re:

[the_B0fh]

No. It is the way LastPass keeps lying about their breach, and the way they have no fucking controls over what a developer does, and everything else that shows that LogMeIn doesn't give a shit about your security. Please try to keep up.

Re:

[eepok]

Nobody knows.

Well, that's not rational, is it? If you don't know something, you have to assume the worst?

As this product should now be banned in any somewhat professionally run software landscape

That assertion surprised me, so I've tried looking it up. I can't find it anywhere. Which companies have banned the use of Lastpass?

Re:

[Ksevio]

Why would it be banned in a professionally run software landscape? I figure for larger companies, they'd probably want to run their own key stores (similar to how they might run a build or email server), but there are lots of little companies that use third party tools like Atlassian or Microsoft for their infrastructure that it seems like it'd still be a good fit for

Re:

[AmiMoJo]

It's difficult to know. It's like cancer, attributing it to one company's cigarettes, or air pollution, or that time you got sunburned, or the leak from the local nuclear plant, it pretty much impossible.

Re:

[Slayer]

Add to this:

5. "remote code execution vulnerability in a third-party media software package": it tells me, that this person's box was accessible from the internet, and at the same time hosted the credentials to access production servers.

There's so much fail in this situation .... it's sure going to be the final nail in their coffin, just like with solarwinds [bleepingcomputer.com] ... ? oh, well ...

Re:

[EvilSS]

From what I read elsewhere, the "third-party media software package" was Plex, so yea, probably had it setup with open ports.

Standard operating procedure...

[Xpendable]

... Of every corporation that gets breached these days is to not admit it is as bad is it is. They know it is far worse but they pretend it's not. Eventually it becomes known the breach was far worse than originally stated. Pretty much every breach now is worse than what the victim initially states.

Re:

[gweihir]

And that is why you put reporting requirement and pretty bad penalties for lying in place.

Re:Standard operating procedure...

[Joce640k]

Doesn't work. Every CEO thinks he's too smart to get caught and that all his employees will keep quiet if he tells them to.

Re:

[gweihir]

Give it a bit of time. As any significant data-breach is basically impossible to hide, the CEOs will stop thinking that rather fast.

Re:

[eepok]

It's SOP for every experienced organization to never state something worse than it is, but you also can't describe the full extent of the problem until you complete the investigation.

Could you imagine if LastPass were to come out and say, "We don't know what was taken or how it was taken. Heck, even our DevOps home computers could be attack vectors." What do you think would happen next?

No, instead you focus on solving the problem and deal with media releases later. You're much better off dealing with custom

Lastpass is being lazy

[dicobalt]

Home computer accessing corporate data? In some instances that's not even legal, healthcare and banking being the most obvious. Lastpass is going to have a very rough time in front of them.

Re:

[coopertempleclause]

The two are not mutually exclusive. If they were working from home, they should have been issued a secure work laptop. Home computer implies it was their own personal computer that is used by the whole family.

Re:Lastpass is being lazy

[MachineShedFred]

Now only if there was some kind of portable computing device that could be used in the corporate office, and then taken home and used there too.

Why the fuck does the IT department at a company that makes security software allow non-company owned systems to connect to anything at all, much less production code, databases, logging, etc.? Never heard of device authentication?

I mean, did they give the IT security job to some C-suite's nephew because he's good at computers and stuff?

Re:

[jd]

I'm not keen on laptops for development. Laptops rarely have support for wired networking (which is faster and more secure than wireless), rarely support 2-3 monitors (a must for serious developers), and are too easy to lose in transit (as happens a lot with British MOD laptops, apparently). You're better off with a proper tower unit at work and a tower unit dedicated to work at home. People should be checking in their code on a regular basis, so the portability of the computer is a non-issue. The only thin

Re:

[MachineShedFred]

The portability of the computer is still an issue, unless you are using something to cloud-sync the entire user environment between those machines - installed software, settings, documents, bookmarks, open documents, browser history, developer environment tweaks, etc.

Sure, git will handle the code sync, but unless you are checking /home/* into git, your user experience is going to fucking suck, and buying two machines where each one will at maximum see a 50% utilization is not a responsible way to spend you

Re:

[jd]

The laptops I've been given for the last two jobs I've worked were at least a decade old, didn't support DisplayPort (only HDMI), lacked ethernet (only wireless), had failing hardware, had tiny memories and were sluggish in the extreme, yet the companies are highly profitable. These are not "good laptops" and barely qualify as laptops at all. They're more mini coffee tables with built-in email.

I could probably handle a GOOD laptop with high specifications, but these had specifications that weren't good even

Re:

[MachineShedFred]

Sounds like you've worked at shops that feature IT staff with their head so far up their ass they'd have to cut in switchback trails just to find it.

That's a real shame - it's a joy to actually be provided with the resources and tools needed to get the job done instead of working around penny-pinching policy that hinders getting shit done; or spending $50k worth of salary on a series of middle-management meetings discussing it just to decide that spending an extra $50k on better equipment in the name of dev

Re:

[the_B0fh]

Are you fucking stupid? What does working from home have to do with using your personal media (plex) machine for storing company secrets? If your company is unable to issue your developer a machine to develop on, you have different issues.

Re:

[AmiMoJo]

I've seen it happen when the company doesn't provide adequate IT equipment. People only have so much space at home, and KVMs are expensive... Sounds ridiculous but I've seen it done.

Re:

[saider]

Any company that has a "Bring Your Own Technology" policy is asking for this trouble.

Re:

[bill_mcgonigle]

Didn't LastPass get bought by LogMeIn, the company famous for helping people get around their companies' firewalls?

Regardless, with that job expect to be targeted by nation-state actors and be hit with 0-days.

In-band keyboard password entry is not good enough.

Re:

[myowntrueself]

Didn't LastPass get bought by LogMeIn, the company famous for helping people get around their companies' firewalls?

Regardless, with that job expect to be targeted by nation-state actors and be hit with 0-days.

In-band keyboard password entry is not good enough.

nation-state actors indeed.

In this case, no one has even remotely suggested just which APT might be involved, on behalf of which nation-state actor.
And the access seems extremely... tailored.
This is a massive hint.

Re:

[eepok]

If accessing corporate data from your personal computer was allowed, that's a problem.
If accessing corporate data from your personal computer was not allowed, LastPass didn't provide a work computer from home, and the employee was expected to work from home, then that's a problem.

If the employees wasn't allowed to connect from a personal computer and did so anyway, then that's a relatively easy fix in policy enforcement within LastPass.

The big elephant in the room is that LastPass centralizes security for a

Re:

[cmseagle]

Home computer accessing corporate data? In some instances that's not even legal, healthcare and banking being the most obvious.

Can't speak for legal or banking, but I'm quite certain that there isn't a blanket ban on employees of health systems accessing healthcare data from personal devices. I'd be very interested in being corrected if there are jurisdictions that do impose such restrictions.

Re: Password manager? Putting all of your eggs in

[nsbfikwjuunkifjqhm]

And what's your alternative to using a password manager? Using the same password everywhere?

Re: Password manager? Putting all of your eggs in

[TwistedGreen]

Just add an exclamation mark at the end, it'll be fine.

Re: Password manager? Putting all of your eggs in

[reanjr]

For something like your work network, where you work in security? You simply remember it. If you can't remember one strong password, then you shouldn't be in security.

correcthorsebatterystaple

Re:

[flink]

Avoid password managers which store your passwords in a centralized location or protect your information with an account you don't control.

I personally like Codebook [zetetic.net]. They've been around forever - I've been using it since it was a PalmPilot app called STRIP.

The encryption key for the password store is managed by the user and never sent to the cloud or over the network. It's replicated between devices via QR code or code word block.

The password store can be replicated via Google Drive, Dropbox, or peer-to-

Re:

[eepok]

That sounds like an awesome solution for us nerds. What about for non-nerds that are supposed to maintain 25+ unique passwords for the various systems used at work and the 45 unique passwords used in personal life and used throughout a variety of phones, laptops, and desktops?

That's the solution LastPass is attempting to provide.

Re:

[ctilsie242]

When you have thousands of root passwords, many local enable passwords, admin passwords, SA passwords, recovery codes, backup keys, GPG private key material, and a lot of other highly sensitive stuff, options are not easy. You can use something like KeePass and store it locally, or use something that people was assumed to be secure and store it in that.

A solid password manager takes some thought, but so does any type of security stuff. What happened with LastPass were bad fundamental engineering decisions

Didn't fire the guy

[backslashdot]

They didn't fire him, but told him sternly that this was his last pass.

Re:

[boulat]

hahahaha

Re:

[TheMiddleRoad]

Did they securely obscure him?

If the threat actor is unnamed...

[myowntrueself]

That probably means it was 'one of ours', or else the media etc would be falling over themselves to point at Russia, China, North Korea or Iran.
We have always been at war with Eastasia.

Re:

[Black Diamond]

Given the slow drip of information from LastPass on this, they might not be pointing fingers because they don't have solid details yet. I mean they aren't even naming the media software that was affected which seems a much lower bar to clear than potentially which nation-state (if any) was involved.

Re: If the threat actor is unnamed...

[PPH]

'one of ours'

But often, 'one of ours' sells the info that they harvest on some dark market. And the buyers are not infrequently 'one of theirs'.

Aaaaaaaand This Is Why I Did not Sign Up

[GFS666]

My work recently started using LastPass as a means for people to not have to "remember" their passwords. And the work IT department cheerfully let us know that they have paid for all of us to get a LastPass subscription for our personal Home Computers as well! Thankfully, I knew that no computer system is hack proof, ESPECIALLY computer systems that store passwords, so I have not used it either for work or home computers. Glad I did.

Re:

[Anonymous Coward]

Thankfully, I knew that no computer system is hack proof, ESPECIALLY computer systems that store passwords, so I have not used it either for work or home computers.

Right choice, wrong reason.

"Security" isn't a true/false value.
"Secure" is one end of a scale, where the other end is "convenience", when one goes up the other goes down equally.

"Being secure" is choosing the right balance for a given situation.
100% secure means 0% convenient, meaning even you couldn't access your stuff.
0% secure means 100% convenient, meaning even the attempt to determine if it is you is too much hassle and all your stuff should be given out freely to anyone.

Neither absolute is useful, any

Why the hell?

[EmagGeek]

Why the hell is a Lastpass employee using a personally-owned computer to do work for the company? Why does Lastpass even allow non-company computers to access company resources???

Where I work, that shit will get you fired instantly.

Poor practices all around...

Re: Why the hell?

[reanjr]

You're correct in principle.

But I can tell you when the company I worked for was bought out, they stopped stopped supporting Linux and issued us Macs (or Windows machines with secureboot so you can't put Linux on it).

So, I just used my personal Linux machine from then on.

So, the socio-technical aspect is much more complicated than "don't allow personal machines".

Re:

[the_B0fh]

Aww, you are so special. Seriously, if you can't abide by your corporate security policies, you go find a new job. If you bypass your corporate security policies, you deserve to be fired.

Re: Why the hell?

[reanjr]

If my employer doesn't care about my needs, then I don't care about theirs. They're the ones who came in and changed shit.

Also, you angry fuckwit, I told my manager what I was doing.

Re: Why the hell?

[reanjr]

Or tell your boss it's unacceptable to get clearance. You like being a bitch, huh?

Zero Trust

[DarkOx]

The Security Community (rolls eyes) and the PaaS guys want Zero trust + DevOps + IaC to work so badly they can't see the very plain reality

- You are extending privileges to persons that are increasingly unknown to you.

- You are extended privileges to organizations with increasingly opaque internal procedures, or maybe procedures that you would not really except if you had much choice but don't like Azure or AWS hiring policy well to bad where you gonna go?

- You are probably trusting clients which you really

Re:

[flink]

Zero trust does not mean you literally trust no one. It just means your apps/servers don't accept unauthenticated inputs, even from other devices on the local network. The level of trust to assign to a given interaction depends on the identity of the caller and the credentials presented to prove that identity.

Zero trust will not save you from having bad policies. LastPass should not have allowed personal devices to authenticate to their VPN, and beyond that should have required the use of a locked-down j

Re:

[DarkOx]

I understand zero trust means no unauthenticated connections as opposed to the old perimeter trust model

- hey you are on this network so you must be ok

Zero trust will not save you from having bad policies. LastPass should not have allowed personal devices to authenticate to their VPN

And you *know* its a personal device vs corporate device how? Right be you asked it, and it said my name is... Sure that will be under piles of obfuscation but that is essentially it.

but but but . it has a client certificate, yes so all you have proven REALLY is that you sent out a corporate device with client cert on it at one time, you HOPE that certificate

Brilliant attack --Password management software

[MajorVariola]

Attacking a "Password management software firm" is brilliant. There have been other successful attacks-on-tools but a *password* company is a genius high-value target. The leverage!

This "security" company is a joke

[Turkinolith]

I used lastPass for years on the suggestions of my brother who is a security researcher, well he should have done more research as this company has had so many security breaches of their own for not following good protocol. I stopped using Last pass back in Dec following the news of their "big" hack and loss of customer data, that they could still have THIS incident occur after it is just the icing on the proverbial cake.