The cybercriminal then exported the corporate vault entries and content of shared folders. When the DevOps engineer authenticated with MFA, the cybercriminal gained access to the LastPass Corporate Vault. With remote code execution capability, cybercriminals implanted a keylogger malware to capture the engineer’s master password. Hence, the cybercriminal targeted one of the four DevOps engineers with access to a highly restricted set of folders with decryption keys to access cloud storage services. To an extent, the cybercriminal targeted the DevOps engineer’s personal computer by exploiting a vulnerable third-party media software package. A highly restricted set of folders in a LastPass password manager vault used by DevOps engineers.A key-value pair used to access backups of LastPass development & production environment, or.The decryption keys can be retrieved from two locations: LastPass says, “ Despite high confidence in the outcomes of our investigation and actions taken in response to the first incident, the threat actor leveraged information stolen during the first incident, information available from a third-party data breach, and a vulnerability in a third-party media software package to launch a coordinated second attack.“Īs mentioned in the first part, cybercriminals got hold of encrypted credentials that did not have decryption keys. LastPass progressed with the incident response as part of containment, eradication, and recovery. As cloud-based development and on-premises production data centers are physically and logically separated, no customer data was stolen during the initial breach. LastPass investigated the whole activity by engaging with Mandiant and got assistance with incident response activities. Digital certificates related to development environments.Out of 200 source code repositories of different components of the LastPass service, 14 source code were under the hostage of the cybercriminal. In addition, they successfully established a dedicated connection by relying on the software engineer’s domain credentials and MFA.įurther, the cybercriminal leveraged access to the cloud-based development environment and got hold of technical documentation along with LastPass source code from the software engineer’s laptop. Now, cybercriminals got into the cloud-based development environment via LastPass corporate VPN. Parallelly, the cybercriminal accessed a cloud-based development environment and masqueraded the software engineer’s laptop. The cybercriminal used Third-party VPN services to confuse the origin of the threat activity.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |