02.03.23
3 Min read
Book a Demo
LastPass’ password management service has introduced millions of users to the convenience and security of unique passwords. Across mobile and browser, LastPass promises a near-passwordless experience for millions of individuals and over 100,000 businesses. However, recent news threatens to drop a bombshell on credential-based security.
The Year-Long LastPass Dual Breach
In August 2022, LastPass released a report of a small scale security incident. Notifying consumers of the breach, LastPass reassured that no consumer data had been accessed. Certain LastPass credentials had been stolen during the first attack, but these were encrypted – from the organization’s perspective, there was no way the threat had access to the necessary decryption keys. It was acknowledged that the attack likely lent the malicious actor further insight into the company’s internal development documentation. One such piece of information is that there are only four — highly senior — DevOps engineers that hold access to the password vaults’ decryption keys.
Delving deeper into August’s breach, recent analysis found one key oversight was made in the initial report: attackers had simultaneously compromised a DevOps engineer’s home computer. This device had a number of apps installed, one of which was the media software Plex. According to Ars Technica, Plex granted a key foothold to the attackers via a remote code execution bug; the attackers used this to install a malicious keylogger onto the DevOps’ home laptop. From this, the attacker was free to capture the employee’s login credentials as they were entered.
Once the master password of this senior DevOps account was stolen, attackers could freely access the engineer’s corporate vault. These shared instances contained a smorgasbord of access and decryption keys for AWS-hosted backups. Between August and October 2022, data was continuously stolen from the company’s Amazon S3 buckets. Exfiltration via the employee account meant malicious behavior was difficult to distinguish from legitimate activity. Eventually, in December, the company discovered the attacker when they attempted to use the account for unauthorized activity.
How Credentials Need to Keep Pace
The attackers knew that attempting to attack the highly-reinforced on-premises servers would be a waste of time and resources. A remote workforce, however, requires a completely new approach to credentials that LastPass failed to implement in time. This became the perfect gap for a complex attack path.
Firstly, organizations need to recognize the increasing interconnectedness of today’s developers. Solutions such as Snyk, a partner of GlobalDots, allow security to keep pace with development by monitoring open source and third-party vulnerabilities. Built on a comprehensive vulnerability database, Snyk integrates with existing dev workflows and automatically patches license violations across OS dependencies and container images. Read more about best practices for securing AWS workloads here.
While developers and the workforce enjoy increased protection, all employee accounts can benefit from account access reinforcement. Okta, another GlobalDots’ partner, provides fast and flexible access to compute resources while doing away with traditional static resources. The LastPass breaches have proven that traditional credentials hold all the privilege – Okta revolutionizes this with dynamic, single-use credentials and keys that prevent the abuse of risky static credentials.
Automated evaluation of each login’s context reinforces next-gen workforce IAM, while simplified lifecycle management tools allow the automated provisioning of access as the employee base changes over time.
Following the year-long breach, LastPass has upgraded its security by rotating high-privilege credentials and re-issuing any certificates gained by the attacker. Extra S3 hardening protocols are now in place, with logging and alert functions allowing for initial visibility into account infrastructure.
For now, LastPass recommends all users to change not only master passwords, but all passwords in their connected vaults, in order to prevent a large blast radius of upcoming account takeover attacks.
Secure your workforce IAM and work environment with GlobalDots. We provide comprehensive security solutions for any stack, ensuring your organization’s protection – contact us now.
