LastPass: a hangover that never ends

The LastPass hack is believed to be behind the theft of tens of millions of dollars in cryptocurrency.

LastPass is in turmoil. The popular password manager has been the victim of several major security incidents in recent months, and we are starting to see the damage among several users.

Two linked attacks

The company’s troubles began a little over a year ago. In August 2022, Karim Toubba, CEO of LastPass, announced that hackers had managed to penetrate their system. Part of the source code and important technical information were then stolen. Three weeks later, the platform reassured that the attackers had not accessed any customer data or password vaults.

The respite will, however, be short-lived. From November 2022, another hard blow: LastPass communicates another data breach, enabled by the elements stolen during the first attack. Much more serious, this episode concerns the compromise of encrypted copies of certain password vaults, as well as other personal information of customers.

A vulnerability in Plex, on an engineer’s personal PC

In February 2023, we get new details that don’t help LastPass’s affairs. It is revealed that the first attack allowed hackers to steal server credentials from a DevOps engineer, who is one of only four employees who can access a critical system on the network.

“This was accomplished by targeting the DevOps engineer’s personal computer and exploiting a vulnerable third-party media software package, which enabled remote code execution and allowed the threat actor to plant malicious software. ‘keylogging’we are then told. “The threat actor was able to capture the employee’s master password as it was entered, after the employee performed two-factor authentication, and gain access to the engineer’s LastPass corporate vault DevOps », indicates the company. We will later learn that it was a security flaw in Plex that was exploited.

Thanks to these accesses, the hackers were able to carry out a series of reconnaissance and exfiltration activities on LastPass servers for weeks to prepare for their final attack. They were eventually able to recover the decryption keys used to unlock LastPass’ cloud storage, and thus managed to steal customer data, some of which was encrypted, but others displayed in clear text.

Millions of dollars in cryptocurrencies gone

Faced with this situation, LastPass has logically lost the trust of its users. We are only now beginning to measure the impact caused by this data leak, which could go much further than we expected.

Noticing an abnormal increase in cryptocurrency thefts, a certain Taylor Monahan, executive at MetaMask, a cryptocurrency software wallet operating with the Ethereum blockchain, launched an investigation to try to identify a common denominator between all the victims.

His searches remained in vain for a long time. Users who have seen their cryptocurrencies disappear are in most cases long-time investors, well aware of the security measures to take to protect their assets. So how did so many of them get robbed?

It took many months of work to finally connect the flights together. “A set of very reliable indices” tends to point to LastPass as the culprit in all these affairs. The common point between almost all victims is that they have, at some point, stored the seed phrase for recovering their crypto wallet within the password manager. By accessing this private key, the hackers were then able to access the cryptocurrencies and move the funds.

Taylor Monahan claims that at least 150 people lost a total of more than $35 million in cryptocurrency this way. The blockchain addresses used for the operation confirm that the thefts were carried out by the same hacker network.

Source : Krebs On Security