LastPass released an official follow-up report on the security breach incident it was hit with last month, based on what the password management platform was able to figure out about the attack and the attackers. following the intrusion.
According to the company, the LastPass attacker or attackers appear to have acted more stealthily, apparently tricking a LastPass developer into installing malware that cybercriminals then used to hitch a ride in the company’s source code repository.
According to LastPass’ post-attack assessment, the company found that the attacker “gained access to the development environment using a developer’s compromised endpoint,” leading the company assuming it was due to the attacker planting system-spying malware on a programmer’s computer. the computer.
The trick used to plant the malware could not be determined by LastPass, which the company called “disappointing”, stating that “knowing how the latest attack was actually carried out makes it easier to reassure customers about the revision of prevention, detection and response procedures may block it next time”.
Many potential attack vectors come to mind, including unpatched local software, “shadow computing” leading to insecure local configuration, phishing click error, dangerous download habits, betrayal in the source code supply chain that the relevant coder relies on. , or a trapped attachment opened by mistake.
LastPass added that the attacker “used their persistent access to impersonate the developer once the developer successfully authenticated using multi-factor authentication.” This means that the attacker may never have needed to acquire the victim’s password or 2FA code, but simply used a cookie-stealing attack or extracted the developer’s authentication token from the traffic. genuine network (or RAM of the victim’s computer) in order to piggyback on the programmer’s usual access.
The attacker had been detected and expelled by LastPass within four days. With the risks of timestamp ambiguity in system logs, being able to determine the precise order in which events occurred during an attack is a critical part of incident response according to the company.
LastPass physically separates its development and production networks. According to Paul Ducklin of Sophos Naked Security, this is “good cybersecurity practice”.
“This prevents an attack on the development network, where things are inevitably in a continuous state of change and experimentation, from escalating into an immediate compromise of official software that is directly available to customers and the rest of the world. company,” Ducklin said.
The company does not store any customer data in its development environment, which Ducklin notes as a good shot.
“Again, this is good practice given that developers, as the job name suggests, typically work on software that has not yet undergone a security review. comprehensive and a quality assurance process.
“This separation also allows LastPass to claim that no password vault data, which would have been encrypted with users’ private keys anyway, could have been exposed, which is a stronger claim. than to simply say, ‘We have found no evidence that he was exposed’.
“Keeping real-world data out of your development network also prevents well-meaning coders from inadvertently grabbing data that is supposedly under regulatory protection and using it for unofficial testing purposes.
“Although the source code was stolen, no unauthorized code modifications were left behind by the attacker,” Ducklin added.
Moving source code from the development network to production, Ducklin continued, “can only occur after the completion of rigorous code review, testing, and validation processes.”
“This allows LastPass to claim that no modified or poisoned source code would have reached customers or the rest of the company, even if the attacker had successfully planted malicious code in the version control system,” said Ducklin.
LastPass never stores or even knows the private decryption keys of its users. In other words, even if the attacker had gotten away with password data, according to Ducklin, it would have ended up as a shredded “digital cabbage.”
“The company also provides a public explanation of how it secures Password Vault data against offline hacking, including using client-side PBKDF2-HMAC-SHA256 to salt, hash, and stretch your password. offline with 100,100 iterations, thus making password cracking attempts very much more difficult even if attackers get away with locally stored copies of your password vault,” Ducklin explained.
While this is an embarrassing incident for LastPass, the attack and the company’s incident report are good reminders that “divide and conquer,” also known as zero trust lingo, is an important part of contemporary cyber defense.
“Hats off to LastPass for admitting what amounts to a ‘known unknown,'” Ducklin concluded.
[Related: Slack notification alerted Uber of breach]