Black Arrow Cyber Alert 01/03/2023 – ACTION REQUIRED: LastPass Security Incident Update

Executive Summary

Yesterday (28 February 2023), LastPass provided an update on their recent security incident that was disclosed on 22 December 2022. LastPass explained how information stolen in a breach that had taken place in August 2022 was then used to conduct a separate breach in December 2022; the latter breach then allowed access to the LastPass encrypted Amazon S3 buckets.

LastPass also revealed more about how the incidents happened. In the first incident the threat actor did not have the decryption keys and they were unable to decrypt some data. The threat actor identified that a DevOps engineer had access to the decryption key and as a result the DevOps engineer’s home computer was targeted. Through exploiting a vulnerable third-party software package, the threat actor was able to install a keylogger and capture the engineers’ master password as it was entered. Once the engineer had authenticated with multi factor authentication (MFA), the threat actor then had access to the LastPass corporate vault.

What’s the risk to my business?

The incident has resulted in a significant amount of data being accessed[1]. LastPass has stated that the compromised backup of the customer base was dated 14 August 2022 and that any accounts created after that date are not affected. A full list, including descriptions is available from LastPass; a summary of main items is presented below:

Business customers - General

  • MFA seeds

  • Splunk Security Information and Event Management (SIEM) integration secrets

  • “Push” site credentials

  • SCIM, Enterprise API and SAML keys

  • Billing addresses

  • Company name

  • Tax id

  • Email address

  • End user name

  • IP address of trusted devices

  • Telephone number

  • Mobile device unique identifier

  • Number of iterations that a customer was configured to use

Business customers - Non federated

  • Hashes of temporary and account recovery one-time passwords

  • MFA API integration secrets

  • One-time password seeds

Business Customers - Federated

  • Split knowledge component “K2” keys

What can I do?

Recommended actions depend on whether the user environment is federated or not. Federated users are users who are authenticated with an identify provider such as Azure Directory, which then allows the user to access LastPass. Non-federated users will access LastPass using a LastPass username and password. The recommended actions are as follows:

Federated users

For federated environments, organisations should consider de-federating and re-federating all users, and request users to rotate all vault credentials based on the organisation’s risk tolerance. If credentials are to be rotated, critical credentials should be prioritised.

Non-federated users

Where non-federated users have employed the use of MFA, administrators should clear all MFA shared secrets[2] as this will destroy all LastPass sessions and require the user to log back in and re-enable MFA. Where MFA is not in use, we strongly recommend it is enforced as soon as possible. Administrators should also consider requiring users to reset their master passwords[3].

General

To maximise security for your users, LastPass recommend reviewing iteration count settings and recommend that users change to 600,000 iterations[4] which is the recommended number by OWASP.

A super administrator or “break-glass” account is a privileged account reserved for unrestricted emergency access. Where a super administrator or “break glass” administrator account is present, it is recommended by LastPass that at least one of these is not federated and has a master password and strong iteration account as per LastPass guidance. Where the password is not strong, it should be reset immediately. It is recommended that MFA also be reset, to reduce the risk of compromise.

Additional considerations include the review of vault item password policies, user security scores, security of shared folders and monitoring of the dark web.

As always, organisations should remain vigilant as threat actors may use this event to conduct phishing campaigns.

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity


Previous
Previous

Black Arrow Cyber Advisory 03 March 2023 – Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web User Interface Vulnerabilities

Next
Next

Black Arrow Cyber Threat Briefing 24 February 2023