Password manager LastPass US LP reeled from multiple data breaches in 2022 when hackers accessed sensitive information from databases, and today the company revealed how attackers used that information to target a senior DevOps engineer with malware to “launch a coordinated second attack” that breached password vaults.

LastPass announced the first security breach in August, saying the company detected unusual activity within portions of the company’s development environment. The attacker gained access to the company’s source code and proprietary technical information.

At the time of the first attack, the company said that there was no evidence that the incident involved any customer data or encrypted password vaults.

However, a second attack that happened in December did lead to the attacker gaining access to encrypted passwords and encrypted backup data and the company is now revealing the mechanics behind that attack. The company was quick to point out that the decryption keys were not stolen, so it would be difficult, but not impossible, for the information to be read by an attacker.

“The threat actor leveraged information stolen during the first incident, information available from a third-party data breach, and a vulnerability in a third-party media software package to launch a coordinated second attack,” the company said.

According to LastPass, its security controls over its on-premises data center installations were too strict for the attacker to overcome, so it targeted one of the four DevOps engineers who had access to the cloud infrastructure.

The attacker managed to get malware onto the engineer’s home computer via a vulnerable third-party media software package and installed a piece of software called a keylogger. This allowed the attacker to watch every keystroke the engineer typed into the computer while working remotely and thus captured the login information and master password while interacting with the company’s cloud environment.

After gaining access to the company’s cloud using the employee’s high-security access, the attacker then stole vault entries and shared folders and encryption keys to the AWS S3 LastPass production backups and other cloud storage. That led to the attacker gaining access to encrypted data vaults.

“This is an emerging vector of sophisticated cyberattacks: targeting victim’s employees, who have privileged access to internal systems, instead attacking the victims directly,” Dr. Ilia Kolochenko, founder and chief executive of ImmuniWeb SA, which provides artificial intelligence application security, told SiliconANGLE.

Kolochenko explained that over the past three years, multiple devastating supply-chain attacks have targeted companies, affecting their software source code and network protocols. Now, most organizations lock down their on-premises infrastructure and code extremely tightly and as a result, attackers have begun to look for different chinks in their security.

“Creative cybercriminals have, however, discovered another low-handing-fruit attack vector, a grim derivate of the pandemic and working-from-home trend: the victim’s employees,” Kolochenko said.

Companies such as LastPass hold extremely important resources such as passwords, which in turn unlock even larger potential treasures for hackers are especially lucrative targets for hackers.

These incidents aren’t the first time the company has been hacked. In 2015, attackers broke into the company’s network, stole email addresses, password reminders and authentication hashes. Although at the time the company said that master passwords were not stolen, it still urged users to change them.

Kolochenko believes that this year cyber gangs will continue to follow this trend of targeting employees by using previously stolen information to target employees and then use their internal access to gain further traction into networks. As a result, organizations should pay more attention to what kind of access they are providing to their employees and the type of security review they are doing.

“In 2023, we should expect a surge of sophisticated attacks on privileged tech employees aimed at stealing their access credentials and getting access to the crown jewels,” Kolochenko said. “Organizations should urgently consider reviewing their internal access permissions and implement additional patterns to be monitored as anomalies, such as excessive access by a trusted employee or usual access during nonbusiness hours.”

Image: Pixabay