LastPass: DevOps engineer hacked to steal password vault data in 2022 breach

[nlinecomputers]

LastPass: DevOps engineer hacked to steal password vault data in 2022 breach

LastPass revealed more information on a "coordinated second attack," where a threat actor accessed and stole data from the Amazon AWS cloud storage servers for over two months.

www.bleepingcomputer.com

 

[nlinecomputers]

More information

LastPass data was stolen by hacking an employee’s home computer

Attackers accessed customer vault data via the company’s cloud storage.

www.theverge.com

 

[Sky-Knight]

LastPass Hack: Engineer's Failure to Update Plex Software Led to Massive Data Breach

Recent LastPass breach was caused by a simple mistake - an engineer's failure to update Plex on his home computer.

thehackernews.com

LastPass happened because developer had Plex installed, exposed to the world, and left not updated for two years.

 

[britechguy]

From the article cited by @Sky-Knight: "Unfortunately, the LastPass employee never upgraded their software to activate the patch," Plex said in a statement. "For reference, the version that addressed this exploit was roughly 75 versions ago."

If this doesn't point out why "forced, automatic updates" are, even with the problems they occasionally cause, preferable to relying on humans to patch everything themselves, I don't know what could.

We all have so much crap we're trying to keep up with that automatic updating should be seen as the godsend it's been, rather than something to avoid. And there are still far too many who will go to great lengths to avoid it. [I have no idea whether this applies in this specific case, or not. It's just a general observation].

The author of said article is 100% correct in describing this incident as a, "sobering reminder of the dangers of failing to keep software up-to-date." My primary reason for doing so is that there are just so many security patches about which I know nothing of the details, nor should I need to. The folks that create and maintain any software are in a much, much better position to make the determinations with regard to necessary "care and feeding" than I could ever be. That's their job, and I listen to expert opinion, which includes always trying to keep everything as up-to-date as I possibly can, which means "in support" at a minimum.

 

[nlinecomputers]

"For reference, the version that addressed this exploit was roughly 75 versions ago."

JFC

Edit: Crosspost with @britechguy LOL

 

[nlinecomputers]

What is worse is the fact that a developer had any access, yet alone REMOTE ACCESS, to production backups. He is a DEVop. Why does he have any production access at all? Those AWS containers should have been restricted access by IP address so that only the servers at LastPass or the servers in the AWS cloud, if everything they have lived there, are the ONLY devices in the world that can access them.

 

[britechguy]

He is a DEVop. Why does he have any production access at all?

The fact that he's a DEVop does not preclude his having been production support, too. In my long ago days at a major telecommunications company those of us who were developers were also directly involved in production support on a rotating basis. And this was when staffing levels for virtually anything far exceed what is typical these days.

 

[nlinecomputers]

The fact that he's a DEVop does not preclude his having been production support, too. In my long ago days at a major telecommunications company those of us who were developers were also directly involved in production support on a rotating basis. And this was when staffing levels for virtually anything far exceed what is typical these days.

Of course but because of the nature of the company, High-security PII data, the personal tools used by the developer MUST be isolated from each other. The Production side MUST be inside a tightly walled garden. His damn passwords should not be valid from any computer in the world. I'm betting because of COVID some security issues were relaxed at LastPass allowing this to happen. Because a secure connection even from his home COULD have been made but it would have cost lots of money to install VPN firewalls on a second internet connection on a company-provided PC or laptop. He was using his HOME PC, a BYOD, to remote access and do work. WTAF!?!

 

[Sky-Knight]

The answer in this case isn't IP level isolation, it's PIM. Something that Amazon cannot do, this is Azure now... enterprise Azure. A magic land where admins are not admins, merely granted the permission to be admin, and only after submitting the appropriate paperwork, and being granted access by someone else. do they become admin and even then it's only for the duration expected to perform the task at hand.

All this article tells us is LastPass never used enterprise standard practices. They kept their junk on Amazon using old tools, and old tools configured poorly.

They were also stupid enough to hire a dev that exposed his home working environment with entertainment software he didn't maintain. Even more evidence of internal, structural, leadership faults.

 

[britechguy]

@nlinecomputers

I'm not, really I'm not, trying to argue your point.

Your conjectures as to why this may have happened are as good as anyone elses. There are ways this could have been handled, remotely and pretty darned safely, but the way used doesn't come close to meeting that standard.

The post mortem should be a huge cautionary tale. But I've also long ago learned that many pay no attention to cautionary tales and remain convinced, "That could never happen to me/us . . . "

 

[nlinecomputers]

The answer in this case isn't IP level isolation, it's PIM. Something that Amazon cannot do, this is Azure now... enterprise Azure. A magic land where admins are not admins, merely granted the permission to be admin, and only after submitting the appropriate paperwork, and being granted access by someone else. do they become admin and even then it's only for the duration expected to perform the task at hand.

All this article tells us is LastPass never used enterprise standard practices. They kept their junk on Amazon using old tools, and old tools configured poorly.

They were also stupid enough to hire a dev that exposed his home working environment with entertainment software he didn't maintain. Even more evidence of internal, structural, leadership faults.

Yep. Azure PIM makes it easy to restrict access so that it takes more than one person to authenticate. That way ONE person getting breached doesn't let the bad guys in. That DoD level of access I was mentioning earlier. You can't fire the nukes without two keys and two sets of codes from two different soldiers.