On this episode of the My TechDecisions Podcast, we discuss the LastPass breach and what IT security teams can learn from it with Scott Caveza, senior research manager at Tenable.
Late last month, LastPass revealed that the same threat actor that accessed portions of the LastPass development environment and source code that has forced the company since August 2022 to provide updates as new information is revealed, apparently accessed a shared cloud-storage environment obtained access keys and decryption keys by targeting a developer’s home computer.
To obtain decryption keys needed to access the company’s AWS S3 buckets, the threat actor targeted one of the four DevOps engineers who had access to those decryption keys. The threat actor targeted the engineer’s home computer, exploited a third-party media software package bug to gain remote code execution and implanted keylogger malware.
This allowed the attacker to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gained access to the DevOps engineer’s LastPass corporate vault.
The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups, the company says.
According to Caveza, this exemplifies why organizations need a strong patch management program and end user awareness and training to ensure that users are updating any devices they use for work, including those at home.
Listen to the podcast in the player below or on your favorite podcasting platform!
Listen to this podcast using the embedded player below.
If you enjoyed this podcast and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!