Table of Contents
Privilege access management is a very critical aspect of security. Cyber breaches related to access management are on rise and there are severe consequences of confidential data compromise. Effectiveness of security measures need to be established to safeguard cloud critical data. Cloud security data posture is the demand of businesses and privileged access management of cloud users to prevent cyber-attacks.
Today we look more in detail about LastPass breach, its impact, lessons learned, and handling this kind breach.
The LastPass Breach: Background
In August 2022, the Security team was alerted to suspicious activity in the cloud development environment for on demand and pre-development, integration, validation, and testing. After 24 hours of investigation it revealed some suspicious patterns of behaviour and access inconsistency with LastPass employee in the development environment.
The computer system of LastPass employee was compromised which allowed access to resources to which personnel had legitimately granted the access. On 13th August 2022, LastPass engaged Mandiant to further investigate the breach. The suspected breach is supposed to happen between 8th August 2022 to 12th August 2022.
Threat actor performed the anti-forensic activity as well Operating system upgrade scheduled activity during incident time, the logs and systems artifacts were overwritten and due to which initial threat actor used by hacker to gain employee system could not be determined. The system was configured with corporate tools used for development, and security controls including Endpoint Detection response (EDR) agent which got tampered during the breach attempt and did not trigger in the initial stage of attack.
The threat actor used third party VPN services to obscure activity origin while accessing the cloud-based development environment and used it to impersonate employee. The threat actor leveraged its access to the development environment and accessed technical documentation and LastPass source code to exfiltrate 14 from 200 source code repositories related to various components of LastPass service.
The source code repositories included cleartext embedded credentials, digital certificates for development environment and encrypted credentials used by production backup.
The second incident period was 12th August to 26th August 2022. The threat actor made use of exfiltrated information during the first incident. They leveraged the valid credentials stolen from employee and accessed the shared cloud storage environment. AWS GuardDuty alerts indicated anomalous behaviour as threat actor tried to use Cloud identity and access management (IAM) roles to launch unauthorized access.
The threat actor targeted one of the DevOps engineer who was working from home and used a vulnerable third-party media software package, to enable remote code execution and implanted a keylogger in the associate system. The employee password was captured and employee authentication with MFA gained access to LastPass Corporate vault. The native vault entries are exported and shared folder contents are copied which contain encrypted secure notes with decryption and access keys which were required to access cloud-based storage and other critical databases.
Lessons Learned from The LastPass Breach
Let’s look at some lessons learned from LastPass security breach and how it raises questions on cloud security.
Data Access Governance for Privileged Users
The initial incident indicates access and use of Privileged user credentials to break into LastPass cloud accounts. Attack vectors who are using the legitimate user’s credentials are difficult to detect unauthorized access as credentials used by the attacker were legitimate. Audit and regular monitoring of privileged user accounts help to identify dormant and privileges which were abandoned. If a user is granted access months ago but permissions are not used, such information is quite useful for removal of over-provisioned permissions and reducing the attack surface to sensitive data.
Quick Incident Response with Proper Data Classification and Mapping of Risk Chain
The second aspect deals with identification and categorization of sensitive data stored over cloud. Classification of data helps security teams to understand which data stores are critical and user roles associated with them for management.
Sensitive data stores containing Personal Identifiable Information (PII) are critical customer data sets that need to be classified along with highlighting users and roles having direct or indirect access to cloud sensitive stores.
Data classification details help in prediction of risk configurations which otherwise might be overlooked. Map of chained configuration is usually the attack path followed by threat actors.
Forensic metadata and chained configuration data together could help in accelerating the incident response process.
Abnormal behaviour tracking on Cloud Data
Effective monitoring could have helped LastPass to identify the anomaly. Organizations should have monitoring environment tools in place for events such as queries resulting in high count of results which are matching, IAM related events, download of encrypted data , backups shared across cross-accounts etc.
The LastPass breach affected around 33 million users and 85,000 businesses across the world.