Keylogger on Employee Home PC Led to LastPass 2022 Breach

LastPass has revealed that the threat actor who breached the company's systems in August 2022 did so by leveraging source code and technical information that were obtained from the company's development environment via a home computer belonging to a DevOps engineer.

From a technical standpoint, LastPass said information was obtained via a keylogger installed on the employee's device by exploiting a remote code execution (RCE) vulnerability in a third-party media software package.

This information was then used by the threat actor between August and October to steal credentials and keys later used to access and decrypt certain storage volumes within the cloud-based storage service in the December attack.

"We have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata," the company wrote.

These include company names, end-user names, billing addresses, email addresses and telephone numbers, as well as the IP addresses used by customers to access the LastPass website.

"The threat actor was also able to copy a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields, such as website usernames and passwords, secure notes, and form-filled data," LastPass continued. 

According to Martin Mackay, CRO at Versa Networks, the breach updates by LastPass are a stark reminder that remote working and BYOD (bring your own device) are increasingly blurring the lines between home and work networks.

"People assume that if a personal home computer has nothing of value on it, then it won't be a target for cyber-criminals; however, this is simply not true," Mackay added.

"Threat actors will use any security gap or weakness to initially breach the network, and then move laterally across to their intended target – in this case; it was corporate data from cloud storages."

More generally, Javvad Malik, lead security awareness advocate at KnowBe4, said the incident is a persistent textbook attack where threat actors increased their foothold in stages and without rushing.

"Many times we see statements from organizations which have suffered a breach downplaying the incident and stating that no financial data was stolen," Malik said, commenting on the news.

"But no incident should be considered small and should be thoroughly investigated to ensure that any stolen information cannot be used to launch further targeted attacks."

More information about the LastPass breach is available in this analysis by Infosecurity deputy editor James Coker.

What’s Hot on Infosecurity Magazine?