Black Arrow Cyber Alert 01/03/2023 – ACTION REQUIRED: LastPass Security Incident Update
Executive Summary
Yesterday (28 February 2023), LastPass provided an update on their recent security incident that was disclosed on 22 December 2022. LastPass explained how information stolen in a breach that had taken place in August 2022 was then used to conduct a separate breach in December 2022; the latter breach then allowed access to the LastPass encrypted Amazon S3 buckets.
LastPass also revealed more about how the incidents happened. In the first incident the threat actor did not have the decryption keys and they were unable to decrypt some data. The threat actor identified that a DevOps engineer had access to the decryption key and as a result the DevOps engineer’s home computer was targeted. Through exploiting a vulnerable third-party software package, the threat actor was able to install a keylogger and capture the engineers’ master password as it was entered. Once the engineer had authenticated with multi factor authentication (MFA), the threat actor then had access to the LastPass corporate vault.
What’s the risk to my business?
The incident has resulted in a significant amount of data being accessed[1]. LastPass has stated that the compromised backup of the customer base was dated 14 August 2022 and that any accounts created after that date are not affected. A full list, including descriptions is available from LastPass; a summary of main items is presented below:
Business customers - General
MFA seeds
Splunk Security Information and Event Management (SIEM) integration secrets
“Push” site credentials
SCIM, Enterprise API and SAML keys
Billing addresses
Company name
Tax id
Email address
End user name
IP address of trusted devices
Telephone number
Mobile device unique identifier
Number of iterations that a customer was configured to use
Business customers - Non federated
Hashes of temporary and account recovery one-time passwords
MFA API integration secrets
One-time password seeds
Business Customers - Federated
Split knowledge component “K2” keys
What can I do?
Recommended actions depend on whether the user environment is federated or not. Federated users are users who are authenticated with an identify provider such as Azure Directory, which then allows the user to access LastPass. Non-federated users will access LastPass using a LastPass username and password. The recommended actions are as follows:
Federated users
For federated environments, organisations should consider de-federating and re-federating all users, and request users to rotate all vault credentials based on the organisation’s risk tolerance. If credentials are to be rotated, critical credentials should be prioritised.
Non-federated users
Where non-federated users have employed the use of MFA, administrators should clear all MFA shared secrets[2] as this will destroy all LastPass sessions and require the user to log back in and re-enable MFA. Where MFA is not in use, we strongly recommend it is enforced as soon as possible. Administrators should also consider requiring users to reset their master passwords[3].
General
To maximise security for your users, LastPass recommend reviewing iteration count settings and recommend that users change to 600,000 iterations[4] which is the recommended number by OWASP.
A super administrator or “break-glass” account is a privileged account reserved for unrestricted emergency access. Where a super administrator or “break glass” administrator account is present, it is recommended by LastPass that at least one of these is not federated and has a master password and strong iteration account as per LastPass guidance. Where the password is not strong, it should be reset immediately. It is recommended that MFA also be reset, to reduce the risk of compromise.
Additional considerations include the review of vault item password policies, user security scores, security of shared folders and monitoring of the dark web.
As always, organisations should remain vigilant as threat actors may use this event to conduct phishing campaigns.
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity