LastPass incident response report on source code breach released

According to the company, the attacker or attackers at LastPass seem to have operated more stealthily, apparently tricking a LastPass developer into installing malware that the cyber criminals then used to hitch a ride into the company’s source code repository.

From LastPass' post-attack assessment, the company has found that the attacker "gained access to the development environment using a developer's compromised endpoint", which has led the company to assume this was down to the attacker implanting system-snooping malware on a programmer’s computer.

The trick used to implant the malware couldn't be determined by LastPass which the company has noted as "disappointing", stating that "knowing how the last attack was actually carried out makes it easier to reassure customers that revised prevention, detection and response procedures are likely to block it next time".

Many potential attack vectors spring to mind, which includes unpatched local software, a "shadow IT" leading to an insecure local configuration, a phishing click-through blunder, unsafe downloading habits, treachery in the source code supply chain relied on by the coder concerned, or a booby-trapped email attachment opened in error.

LastPass added that the attacker "utilised their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication". Meaning that that the hacker may not have ever needed to acquire the victim's password or 2FA code, but simply used a cookie-stealing attack, or extracted the developer's authentication token from genuine network traffic (or from the RAM of the victim's computer) in order to piggyback on the programmer’s usual access.

The attacker had been detected and expelled by LastPass within four days. With the risks of timestamp ambiguity in system logs, being able to determine the precise order in which events occurred during an attack is a vital part of incident response according to the company.

LastPass keeps its development and production networks physically separate. According to Paul Ducklin of Sophos Naked Security, this is a "good cyber security practice".

"It prevents an attack on the development network, where things are inevitably in an ongoing state of change and experimentation, from turning into an immediate compromise of the official software that’s directly available to customers and the rest of the business," Ducklin said.

VIEW ALL

The company doesn’t keep any customer data in its development environment either which Ducklin notes as a good move.

"Again, this is good practice given that developers are, as the job name suggests, generally working on software that has yet to go through a full-on security review and quality assurance process.

"This separation also makes it believable for LastPass to claim that no password vault data, which would have been encrypted with users' private keys anyway, could have been exposed, which is a stronger claim than simply saying, 'We couldn’t find any evidence that it was exposed'.

"Keeping real-world data out of your development network also prevents well-meaning coders from inadvertently grabbing data that's meant to be under regulatory protection and using it for unofficial test purposes.

"Although source code was stolen, no unauthorised code changes were left behind by the attacker," Ducklin added.

Source code moving from the development network into production, Ducklin continued, "can only happen after the completion of rigorous code review, testing, and validation processes".

"This makes it believable for LastPass to claim that no modified or poisoned source code would have reached customers or the rest of the business, even if the attacker had managed to implant rogue code in the version control system," Ducklin said.

LastPass never stores or even knows its users' private decryption keys. In other words, even if the attacker had made off with password data, according to Ducklin, it would have ended up as just so much shredded "digital cabbage".

"The company also provides a public explanation of how it secures password vault data against offline cracking, including using client-side PBKDF2-HMAC-SHA256 for salting-hashing-and-stretching your offline password with 100,100 iterations, thus making password cracking attempts very much harder even if attackers make off with locally-stored copies of your password vault," Ducklin further explained.

Although this is an embarrassing incident for LastPass, the attack, and the company's own incident report, are good reminders that "divide and conquer", also known by the jargon term zero trust, is an important part of contemporary cyber defence.

"Hats off to LastPass for admitting to what amounts to a 'known unknown'," Ducklin concluded.

[Related: Slack notification alerted Uber of breach]