Change this right away in your org: LastPass breach lessons

  • LastPass had a major breach where thousands of accounts had their information exposed
  • Spear phishing was involved
  • Engineer who had encryption keys had his computer compromised 
  • Using a keylogger hackers gained access to LastPass AWS servers
  • Below are steps that you can take to prevent this from happening in your business

Let’s take a lesson from LastPass. If you have not heard yet, there was a major breach last year where encrypted data + encryption keys were leaked, exposing the data from thousands of accounts. Let’s explore how it actually happened and what lessons we can all take away from this when it comes to protecting our business.  

Last year, a severe breach of LastPass was linked to a malicious keylogging piece of software that had been unknowingly installed on an employee’s home computer. 

LastPass, one of the most reliable password managers on the market, had their image and reputation shattered by a huge data breach. The hackers had secretly infiltrated LastPass’ systems for weeks before managing to extract encrypted password vault data of all customers. Unexplainable as it may have seemed at first, we now know that access could only be granted through both Amazon AWS Access Keys and decryption keys created by LastPass itself.  

How did this breach occur?

how did lastpass breach occured

In an announcement, LastPass reported that only four of the company’s DevOps engineers were given access to decryption keys through a highly restricted set of folders. Astonishingly enough, though, the hacker managed to bypass all security protocols by serving malware onto one of these engineer’s home computers. Through exploiting an insecure third-party media platform on their computer, they enabled remote code execution which allowed them to embed keylogger malware and gain unauthorized entry into LastPass’ systems. 

 The malicious software identified the keyboard strokes of the engineer, providing the hacker with access to their master password for LastPass. To make matters worse, this malware also helped them bypass multi-factor authentication on the account to gain control of decryption keys from LastPass’s cloud backup system. Despite not disclosing which “vulnerable third-party media software package” was used by hackers in question; Ars Technica stated that it was likely Plex – a system that assists users in building home streaming services for videos. However, a report from Plex stated that they have not heard from LastPass and are unaware of any unpatched vulnerabilities. Go figure! 

They, more than likely, took the cookies, and either used it on their own system, or used the infected computer to connect directly into the AWS servers, bypassing the 2FA. 

The targeted engineer had their computer breached in August and although the exact details are unclear,  it is still believed that the threat actor disabled antivirus software from an engineer’s laptop for undetected access.  


So, now that we know how this breach occurred, let’s break down the lessons that we can all take away from this:  

Several events occurred that allowed this breach to happen.  

  1. More than likely there was a spear phishing campaign aimed at this particular engineer 
  1. The employee was allowed to access sensitive data from an unmonitored personal computer 
  1. The DevOps engineer had admin privileges on his own machine 

So, let’s break down this attack: 


Spear Phishing Attack  

spear phishing lastpass breach

The engineer was clearly targeted, (according to LastPass there was a handful of people that had this type of access to the entire system). The method of phishing that the attackers used is still unknown, but what we can say with certainty, is that the hackers knew to target specific users in the company. It could have been a broad campaign where the hackers got lucky and struck gold with this particular engineer, but given the sophistication level of this multistep attack, it’s clearly well planned and very targeted.  

Would additional cyber security training for employees that have high-level access, (such as this DevOps employee), have potentially prevented the breach? We will never know, however, it’s safe to assume that it’s always a good idea to provide additional training to members of management or developers who have access to sensitive company information. The best way to provide the phishing knowledge, is to provide training, followed shortly by a simulated phishing campaign to see which employees need additional training.  


Unmonitored PC’s and BOYD  

unmonitored pc

As a Managed Services Provider, our standard rate encompasses monitoring, support, and security for one workstation, per user. We charge a small fee to cover additional computers utilized by users who are working remotely from home. We always explain to our clients that they should stay vigilant about security, even after they leave the office. Having a single point of entry, (such as a breached computer), IoT device with a vulnerability or an outdated media server on the home network could potentially open up an entire organization to an unknown threat. Practicing good cyber hygiene should be something you adapt in your everyday life, (similar to brushing your teeth in the morning). Taking the steps to stay vigilant will safeguard your personal information and the information of your company that has been entrusted to you.  

Having an additional layer of security provided by Managed Services Providers (MSP) or Managed Security Services Provider (MSSP), could make all the difference, by securing the most vulnerable endpoints. Endpoint protection typically includes an Endpoint Detection and Response (EDR), that will report back to the MSP or MSSP with any security alerts. At this point an engineer will determine the severity and what actions need to be taken to mitigate the problem. Often times these tools include machine learning where the software will create a baseline, and any major deviations from this baseline will create alerts for the engineers to follow up on. Combining Endpoint protection, managing the Multi Factor Authentication, and securing your cloud infrastructure should be a priority for most businesses. Unfortunately, many don’t take the steps to secure their systems until a breach or a ransomware attack has already happened. Just remember its much cheaper to prevent an attack than it is to recover from one.  


Admin Privileges  

admin priviledge last pass

Having all the power can be a bad thing! As we can see through the example of LastPass, why it’s a bad idea to give admin access to employees. The targeted engineer had full admin rights to his computer, so when the hackers gained access to his machine, they were able to use his credentials to turn off the Antivirus and install malware locally on his machine. Had the engineer been limited to what he could do on his PC, the hackers would not be able to install software OR disable his Antivirus. As part of the initial cyber security threat assessment, we typically look through permissions of both local and cloud accounts. It’s never a good idea to have admin rights on a PC you regularly use. It’s also never a good idea to have full admin rights on email accounts that are your primary addresses you use on a daily basis. We always recommend creating a separate admin account either for local machines or for your cloud services.  


Stay Vigilant 

cybersecurity vigilant

Having the latest technology and software is great, however, it doesn’t stop there. Cyber security threat landscape can change daily and it’s important to stay vigilant. Keep an eye out for any suspicious activity on your network or accounts, make sure all of your corporate passwords are secured, (that you rotate them regularly), use multi factor authentication whenever possible, update your system regularly, and most importantly, inform your employees to be on the lookout. Prevention is key when it comes to cyber security and knowledge is power, use those two things combined to keep your organization safe. If your company needs help with a security assessment, AlphaCIS will do a free security assessment and provide you a report that you can use to either fix the current problems yourself or let AlphaCIS help do it for you. You can schedule an appointment here, or give us a call 678-619-1218