Password manager LastPass recently revealed that it had been subject to a cyber-attack, following a related breach in August 2022. Incredibly, this second breach was made possible by using the same credentials that were leaked previously. We take a look at how the hacker was able to gain access for a second time and what lessons other businesses can learn from the latest breach.
Who are LastPass?
LastPass are a password manager that allows users to store unique complex passwords, essentially protected by one master password. This allows users to create complicated and different passwords for each account/website they use, with the passwords synchronized to any device the user uses the LastPass software or app extension on.
Ironically, the company has experienced a number of security breaches in the past, dating back to 2011. One of the most recent breaches, in August 2022, saw the intruders accessing ‘source code and proprietary technical information’ from its development environment by exploiting a single compromised employee account. This incident ended on August 12, but astonishingly, the company revealed in December 2022 that a second, co-ordinated attack took place between August 12, 2022 to October 26, 2022.
What happened in this most recent breach?
The second incident saw the threat actor quickly make use of information extracted during the first incident, information from another data breach, and a remote code execution vulnerability to install a keylogger on a senior DevOps engineer's computer.
The company’s DevOps engineer was compromised on his personal computer, while working from home and connected to the work environment. The hackers successfully installed a keylogger, which essentially records what is being typed, on the employee's device, to capture his master password. This was done by exploiting a remote code execution vulnerability in a third-party media software package. This was said to be a personal private use application on a device that was not corporate controlled.
LastPass’s own security advisory revealed: "The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer's LastPass corporate vault."
“The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups."
It’s unclear what the third-party media software was, there is only speculation. However, LastPass is said to have reset important credentials as part of its recovery plan. The company is also looking to implement ‘extra S3 hardening measures’, as well as improved log-in alert mechanisms.
These latest breaches will have no doubt cause untold damage to the company’s reputation, particularly since customers rely on its strong cybersecurity measures. Many have questioned whether users will lose trust in the business.
However, thanks to LastPass’s complete transparency over their latest breach, others have been able to learn from the incident and ensure that their own systems don’t possess the same vulnerabilities.
What can other companies learn from the breach?
When the Covid-19 pandemic hit in early 2020, there was an almost immediate shift to home-working for millions of people across the UK, as well as the rest of the world. The problem with this almost immediate shift, however, is that many businesses weren’t set up for home working, with many employees using their own devices to connect to a work VPN. But just how safe are these connections?
Many argue that controls around Bring Your Own Device (BYOD) aren’t strong enough, with end-points often not properly controlled and protected. Even when employees are using corporate devices, they will still be connecting via their home broadband router, and as it isn’t corporate grade, could pose some vulnerabilities in itself. Additionally, home networks are typically flat and have many devices connected; from tablets, TV’s & media devices to smart home systems. All of which can be subject to vulnerabilities that can pose additional risks.
There is also the notion that people are more likely to visit suspicious links on their home devices, and are more comfortable to do so, compared with when they use a corporate device. And this is a problem.
What is evident is that three years on, many businesses have continued to utilise home or hybrid working, and that doesn’t look likely to change any time soon. Businesses must therefore do all they can to ensure the security of the devices their employees are using, whether they are corporate controlled, or the employee’s own personal device.
When looking to invest, businesses might want to consider ensuring that every employee has a company-controlled computer and phone and could even introduce ‘corporate access points’ to employee’s houses. Another approach is to adopt a Zero Trust Network Access (ZTNA) solution. However, in a time when cashflow is tight for many businesses, this often isn’t an option.
When looking at cybersecurity of current devices and systems, end point is king. That’s exactly why the government backed Cyber Essentials Plus scheme is such an efficient and valuable asset for any business – it includes the testing of End Points. To ensure all the main bases are covered, the scheme looks at five main technical controls. These are: securing your internet connection via firewalls and routers; securing your devices and software by making sure they are configured correctly; controlling user access and admin accounts, protection against viruses and malware; and ensuring your devices and software are up to date. Businesses need to ensure that they are fully compliant with these five main technical controls, including any endpoints that access corporate data.
If the worst were to happen, and a business was to face a breach, its vital that a detection capability is in place alongside a well-designed response and recovery plan. Being able to detect suspicious and malicious behaviour is the first step. Detection needs to trigger a well thought out and practiced Incident Response Plan. Having reduced the businesses Mean Time to Detect (MTTD), the next target is to reduce the Mean Time to Respond (MTTR). Responding swiftly to detections will enable the businesses first responders to contain a breach efficiently and reduce the damage caused.
Having contained a breach, the next phase is to recover. A well-designed Recovery Plan can significantly reduce the time to restore full business operation. Recovery not only covers the restoration of systems, data, and services, but also public relations management and how they communicate what has happened to stakeholders, to limit the impact to business reputation.
To speak with the Flow team about your current cybersecurity measures and how you can avoid a breach like the one at LastPass, visit contact us here.