The LastPass data breach saga continues, and no one knows when or how the story will end. The simplest of recaps of what has occurred to date looks something like this:
Back in August 2022, LastPass disclosed an incident in which an attacker used a compromised developer account to steal parts of LastPass’s source code and some proprietary information.
Then in November 2022, an attacker obtained an employee’s credentials to access a third-party cloud storage service used by LastPass and its parent company GoTo. The attacker decrypted storage volumes within the service and copied information from the backup that contained customer account information, user names, telephone numbers, IP addresses, and more.
Most recently, in March 2023, LastPass announced the same attacker group compromised an employee's personal home device to access LastPass’s corporate vault. Once the attacker gained possession of the decrypted vault, they exported entries including decryption keys needed to access the AWS S2 LastPass production backups, other cloud-based storage resources, and some related critical database backups.
As more information comes to light surrounding the breach, and how the threat actor compromised the developer’s credentials, the LastPass tale has become a cautionary one that speaks to the dangers of privileged access, third-party and remote access vulnerabilities, and insufficient network visibility.
It’s largely accepted these days that security incidents are inevitable. Still, the long-running LastPass attack is a perfect storm of everyday failures. And if it could happen to a password management company, then it could happen to anyone.
In the initial breach, source code was likely targeted because it held hard-coded credentials — username and password combinations and API key credentials in cleartext. This happens (especially in homegrown applications) because it’s faster than integrating a credential vault, privileged access management (PAM) solution, or credentials file.
Developers live and die by speed to release, and they will often shortcut security controls to achieve that speed. This is why developer environments have become such a favored attack vector among threat actors. Accessing source code allows them to inject malware into the software supply chain.
Using information from the original breach, the LastPass attacker potentially gained a foothold on the engineer’s computer and enumerated installed software, looking for anything that may contain vulnerabilities — and lo and behold, they found something, in the form of a grossly outdated version of Plex, a self-hosted consumer streaming service.
The engineer was using an old version of Plex that contained a remote-code execution vulnerability. This enabled an attacker to execute code in the application remotely by baking the code into some sort of normal command. In this case, that command was the deserialization of data in the Plex media server. Leveraging Plex, the attackers remotely executed Python code to install a keylogger on the engineer’s PC. This allowed the attacker to nab the password as it was entered after the engineer had authenticated with multi-factor authentication.
The catch is: Plex patched this vulnerability back in 2020. In fact, 75 versions of Plex were released between the time of that fix and the time of the exploit.
Even though the unlucky engineer was one of only four employees with access to LastPass’s corporate vault, their use of the corporate vault on a personal device and the storage of both personal and work credentials in the same vault proved to be enough for the LastPass attacker.
LastPass’s response to the breach was inhibited by a lack of internal visibility and control. The scope of modern enterprise networks are very difficult to comprehend, and the tools used to detect anomalies often lack the sensitivity to catch attacks like this. Without strong controls to limit and prevent access, the attacker was able to roam around their environment, seemingly at will.
When LastPass first announced the August breach, the company said it had been contained – but it had not.
When LastPass investigated the November breach, it didn’t immediately recognize that it was the same threat actor from the first incident.
Even with alerts and logging enabled, LastPass was still slow to detect suspicious activity. LastPass had no idea about the breach until AWS flagged unusual behavior when the hacker attempted to use Cloud Identity and Access Management roles to perform unauthorized activities.
LastPass simply didn’t have the granularity of control or the visibility to detect the breach and implement the required fixes promptly.
Bad user hygiene, single points of failure, insufficient visibility, tension between security and speed — practically every organization faces these challenges. Security tools and strategies must evolve to face the realities of the modern business landscape.
The principle of least privilege maintains that a user should only have access to the specific resources and applications they need to do their work. This must be a core tenet of any secure access strategy.
Still, enforcing least privilege is easier said than done. Third-party vendors are often over-permissioned for the sake of convenience, and a few specific internal user groups (like developers) may have access to the “crown jewels,” even if security is not their main priority.
In the zero-trust access model, by contrast, no implicit trust is ever given. Whether the user is remote or on-premises, in-house or third-party, or using a managed or unmanaged device, a zero-trust access solution will verify the user according to their identity and grant access directly to authorized applications only.
With rising cyber insurance costs and an increasingly dangerous cyberthreat landscape, modern security controls like end-to-end encryption, multi-factor authentication (MFA), and single sign-on (SSO) are practically table stakes.
The traditional castle-and-moat security approach grants broad lateral access to users once they gain entry into the network. But just because someone has the right username and password doesn’t mean they should be given access. Organizations need controls that can evaluate the access request based on context and other factors set by the organization. These factors may include geolocation, time of day, biometric factors, and more.
Privileged access management (PAM) solutions can help protect an organization’s critical secrets, including development keys and access tokens. PAM solutions provide features like centralized authentication, access controls, auditing, and session management.
Data loss protection tools (DLP) are used to detect, prevent, and respond to the unauthorized disclosure of sensitive data, like personally identifiable information, financial data, intellectual property, and other types of confidential information that could be leveraged by an unauthorized party to cause harm to the organization.
Simplifying security isn’t just about improving user experience. Layering security tools adds further complexity to the already-complicated tech stack and creates gaps that bad actors can exploit. Tools like VPNs weren’t built to secure an enterprise-sized user base. Even best practice tools like PAM, DLP, or endpoint detection and response (EDR) can be isolated point solutions to specific problems. Without a concerted effort to operate and integrate these tools, many exploitable issues remain.
A 2022 Gartner survey showed that 75% of organizations sought to consolidate security vendors in 2022 — and not to reduce spend. Around 65% of organizations expected consolidation to improve their overall risk posture.
Simplifying your security stack gives you more control and less friction and can also quicken time-to-remediation.
Perhaps the scariest part about the LastPass nightmare is that something similar could happen to any organization that lacks proper security controls. Cyolo offers a trustless zero-trust access solution that connects users securely to the applications and resources they need while ensuring data privacy and protection.
Cyolo empowers organizations to make zero trust a reality by:
Extending MFA and SSO controls to any application or resource
Verifying every user and device using existing identity providers or the Cyolo IdP
Delivering users directly to applications and revoking access when their work is done
Monitoring every session and generates a full audit trail
Securing access for developers and other high-risk users
Authorizing users and devices by checking device posture criteria
The victim of the next headline-grabbing breach could be anyone — but that doesn't mean it has to be you.
Author
Samuel is the Director of Product Marketing at Cyolo. Before cybersecurity, he spent 7 years working in the ER and loves to tell stories. He is the husband to one, father to four, lives in Bozeman, MT, and would rather be outside. He holds an M.A. in Strategic Leadership from Life Pacific University.