Identity, Incident Response

Employee’s hacked home PC allowed threat actor access to LastPass corporate vault

The logo for online password manager service LastPass is reflected on the internal discs of a hard drive.

LastPass said an engineer’s home PC was hacked after an August security incident, which allowed the threat actor to later access decryption keys needed to access the DevOps engineer’s corporate vault and exfiltrate data from cloud-storage resources.

In a Feb. 27 update to the security incident, the password manager firm said it had high confidence the first incident ended Aug. 12, 2022, but the threat actor “was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment spanning from August 12, 2022 to October 26, 2022.” 

Since the threat actor used valid credentials to access the cloud-based storage resources, it made it difficult for investigators to differentiate between threat-actor and legitimate activity. Eventually, AWS GuardDuty Alerts informed LastPass of “anomalous behavior as the threat actor attempted to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.”

Because the cloud-based storage services were encrypted — notably AWS S3 buckets — and only four DevOps engineers had access to the decryption keys, the threat actor made quick use of the stolen credentials after Aug. 12 by targeting one of the engineers’ home computers by exploiting a vulnerable third-party media software package and gained remote code execution capability (RCE) to install a keylogger. 

The bad actor was able to capture the employee’s master password using the keylogger malware after the employee authenticated with MFA to gain access to the engineer’s LastPass corporate vault.

The February update by LastPass follows another significant update to the incident in December, when it shared that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the August incident. 

The December update followed one in November on the August incident that said “certain elements of our customers’ information” was accessed, but added that customers’ passwords remained safely encrypted due to its Zero Knowledge architecture.

Ars Technica reported that the third-party media software was Plex, which reported a network intrusion of its own on Aug. 24, though it’s unknown if the Plex incident is related to the LastPass incident.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.