The same threat actor that accessed portions of the LastPass development environment and source code that has forced the company since August 2022 to provide updates as new information is revealed, apparently accessed a shared cloud-storage environment obtained access keys and decryption keys by targeting a developer’s home computer.

The security incident, now thought to be related to an August 2022 incident, is the fourth update the company has issued on the matter and sheds light on the security issues inherent in distributed work environments and vulnerability of home networks.

According to Boston, Mass.-based LastPass, the threat actor leveraged information stolen during the first incident, information available from a third-party data breach, and a vulnerability yin a third-party media software package to launch the coordinated second attack.

In an update, the company says the attack targeted LastPass infrastructure, resources and an employee. The attack leveraged different tools and methods from the attack discovered last summer, leading the company to at first believe that the incidents were not related.

“Our investigation has revealed that the threat actor pivoted from the first incident, which ended on August 12, 2022, but was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activities aligned to the cloud storage environment spanning from August 12, 2022 to October 26, 2022,” the company says in a new update.

In response, LastPass created a guide to help LastPass business administrators and security analysts assess and understand the actions they should take.

The company has also created a PDF document that details the incidents, what data was accessed, what actions business and consumers should take, what the company has done in response and what LastPass will do going forward.

However, the information was originally difficult to find on the company’s website earlier this week. Spotted by Bleeping Computer, the support documents about the incident are not listed in search engines, as the company added <meta name=”robots” content=”noindex”> HTML tags to the document to prevent them from being indexed by search engines.

However, CEO Karim Toubba gave an official statement on the new updates, essentially repeating what those advisories and documents say, as well as explaining the company’s response timeline.

“We have heard and taken seriously the feedback that we should have communicated more frequently and comprehensively throughout this process,” Toubba says. “The length of the investigation left us with difficult trade-offs to make in that regard, but we understand and regret the frustration that our initial communications caused for both the businesses and consumers who rely on our products. In sharing these additional details today, and in our approach going forward, we are determined to do right by our customers and communicate more effectively.”

New information emerges

According to the company’s update, the threat actor leveraged valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, making it difficult for investigators to differentiate between threat actor activity and legitimate use.

Amazon Web Services (AWS) GuardDuty Alerts informed LastPass of the anomalous behavior as the threat actor attempted to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity, the company says.

To access the cloud-based storage resources – notably S3 buckets which are protected with either AWS S3-SSE encryption, AWS S3-KMS encryption, or AWS S3-SSE-C encryption – the threat actor needed to obtain AWS Access Keys and the LastPass-generated decryption keys. The encrypted cloud-based storage services house backups of LastPass customer and encrypted vault data.

As mentioned in the first incident summary, certain LastPass credentials stolen during the first attack were encrypted and the threat actor did not have access to the decryption keys, which could only be retrieved from two locations:

1. A segregated and secured implementation of an orchestration platform and key-value store used to coordinate backups of LastPass development and production environments with various cloud-based storage resources, or

2. A highly restricted set of shared folders in a LastPass password manager vault that are used by DevOps engineers to perform administrative duties in these environments.

To obtain those decryption keys needed to access the AWS S3 buckets, the threat actor targeted one of the four DevOps engineers who had access to those decryption keys. The threat actor targeted the engineer’s home computer, exploited a third-party media software package bug to gain remote code execution and implanted keylogger malware.

This allowed the attacker to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gained access to the DevOps engineer’s LastPass corporate vault.

The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups, the company says.

The company says it has performed the following work:

• With the assistance of Mandiant, we forensically imaged devices to investigate corporate and personal resources and gather evidence detailing potential threat actor activity.

• We assisted the DevOps Engineer with hardening the security of their home network and personal resources.

• We enabled Microsoft’s conditional access PIN-matching multifactor authentication using an upgrade to the Microsoft Authenticator application which became generally available during the incident.

• We rotated critical and high privilege credentials that were known to be available to the threat actor; we continue to rotate the remaining lower priority items that pose no risk to LastPass or our customers.

• We began revoking and re-issuing certificates obtained by the threat actor.

• We analyzed LastPass AWS S3 cloud-based storage resources and applied or started to apply additional S3 hardening measures:
  • We put in place additional logging and alerting across the Cloud Storage environment with tighter IAM policies enforced.
  • We deactivated prior development IAM users.
  • We enabled a policy that prevents the creation and use of long-lived development IAM users in the new development environment.
  • We rotated existing production service IAM user keys, applied tighter IP restrictions, and reconfigured policies to adhere to least privilege.
  • We deleted obsolete service IAM users from the development and production environments.
  • We are enabling IAM resource tagging enforcement on accounts for both users and roles with periodic reporting on non-compliant resources.

• We rotated critical SAML certificates used for internal and external services.

• We deleted obsolete/unused SAML certificates used for development, services, or third parties.

• We revised our 24×7 threat detection and response coverage, with additional managed and automated services enabled to facilitate appropriate escalation.

• We developed and enabled custom analytics that can detect ongoing abuse of AWS resources.

What should businesses do?

LastPass recommends an organizations’ IT professionals and security analysts review this document on recommended actions on these topics:

1. Master password length and complexity
2. Iteration counts for master passwords
3. Super admin best practices
4. MFA shared secrets
5. SIEM Splunk integration
6. Exposure due to unencrypted data
7. Deprecation of Password apps (Push Sites to Users)
8. Reset SCIM, Enterprise API, SAML keys
9. Federated customer considerations
10. Additional considerations

Follow our coverage of the LastPass incident:

• LastPass Confirms Security Incident
• This Week in IT: AWS re:Invent, Cuba Ransomware, LastPass Incident
• Password Management Company Warns of Potential for Credential Attacks

The post LastPass Hack: Attacker Accessed DevOps Engineer’s Home Computer to Steal Decrpytion Keys appeared first on My TechDecisions.

This new information, posted on the company’s website on Dec. 22, stems from an August 2022 incident which was originally thought to only include access to portions of the LastPass development environment and source code through single compromised developer account.

On Nov. 30, the company said the threat actor used information obtained from the August incident to gain access to a third-party cloud storage service used by both LastPass and affiliate GoTo. The company says the unauthorized party accessed “certain elements” of customer information, but passwords remained “safely encrypted” due to the company’s Zero Knowledge architecture.

Now, the company says the hacker copied information from backup that contained “basic customer account information and related metadata,” such as company names, end-user names, billing addresses, email addresses, telephone numbers and the UP addresses from which customers were accessing the LastPass service.

In addition, the threat actor copied a backup of customer vault data from the encrypted storage container, which is stored in a proprietary binary form that contains both unencrypted data, such as websites and URLs as well as fully encrypted sensitive fields such as usernames, passwords, secure notes and form-filled data.

However, LastPass says these encrypted fields are secured with 256-bit encryption and can only be decrypted with a unique encrypted key derived from each user’s master password via the company’s Zero Knowledge architecture. The company reiterates that the master password is never known to LastPass and is never stored or maintained by the company.

In addition, there was no evidence that unencrypted credit card data was accessed, the company says.

The threat actor may attempt to brute force master passwords to decrypt copies of stolen vault data, or could choose to conduct phishing attacks, credential stuffing or other brute force activities against online accounts associated with their LastPass vault, but the company says its default master password settings and best practices should help protect against those activities.

LastPass says its default master password settings are designed to make it very difficult for hackers to guess master passwords using generally available password-cracking tools, and it would take “millions of years” to do so.

While the company doesn’t recommend any immediate action, users should consider changing passwords of websites they have stored if default settings are not in place.

Those defaults include a twelve-character minimum for master passwords, 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), and never reusing master passwords on other websites.

In addition, business customers not using Federated Login without default password policies in place should also consider changing stored passwords for websites.

The post Password Management Company Warns of Potential for Credential Attacks appeared first on My TechDecisions.

AWS re:Invent Announcements

Amazon Web Services held its annual re:Invent conference this week in Las Vegas, and the cloud services provider made dozens of announcements of new products and services in data, security, AI, machine learning, cloud services and more.

These new offerings include, among others:

• Eight new Amazon SageMaker capabilities for better governance and visibility into machine-learning model performance.
• Five new database and analytics capabilities designed for faster and easier management and analysis of data at petabyte scale.
• AWS Supply Chain, a new cloud application designed to improve supply chain visibility and help mitigate risks, lower costs and improve customer experiences.
• AWS Clean Rooms, a new analytics service designed to help organizations easily and security analyze and collaborate on combined datasets without revealing underlying data.
• Three new EC2 instances powered by new AWS chips for better performance at lower costs.
• Amazon Security Lake, a new service that automatically centralizes an organization’s security data from cloud and om-premises sources into a purpose-built data lake.
• AWS SimSpace Weaver, a fully managed computer service designed to help customers build, operate and run large-scale spatial simulations.
• Amazon DataZone, a new data management service designed to make it easier to catalog, discover, share and govern data stroes across AWS< on-premises and third-party sources.
• Amazon Aurora zero-ETL integration with Amazon Redshift and Ramazon Redshift integration with Apache Spark.
• Five new Amazon QuickSight capabilities to help organizations streamline business intelligence operations.

Learn more about AWS’ announcements from re:Invent 2022.

CISA warns of Cuba ransomware

Nearly a year after first issuing an advisory, the U.S. Cybersecurity & Infrastructure Security Agency has issued a joint advisory with the FBI to educate organizations about the Cuba ransomware group and their known tactics.

The ransomware group, which CISA says does not appear to be affiliated with the country of the same name, first surfaced in December 2021. The number of U.S. organizations compromised by the group has doubled and the group has demanded over $145 million in ransom and has received over $60 million. Like other ransomware actors, they leverage bugs in commercial software, phishing attacks, compromised credentials and legitimate remote desktop protocol tools.

Read the advisory for more information.

LastPass notifies customers of new security incident

Password management company LastPass has notified all customers of a security incident within a third-party cloud storage service shared with affiliate GoTo. The malicious actor used information obtained from an August 2022 incident to gain access to some customer information, but the company maintains that password remain “safely encrypted due to LastPass’s Zero Knowledge architecture. .”

In the notice, CEO Karin Toubba did not say what information has been accessed, but LastPass said it has engaged cybersecurity firm Mandiant to determine the scope of the incident and is deploying enhanced security and monitoring capabilities across its infrastructure to help detect and prevent further activity.

Read the notice for more information.

The post This Week in IT: AWS re:Invent, Cuba Ransomware, LastPass Incident appeared first on My TechDecisions.

No customer data or encrypted password vaults were compromised, according to the company.

The unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some of the company’s proprietary technical information.

Following the discovery of the incident, LastPass has engaged a cyber security and forensic firm to help mitigate. The investigation is currently ongoing.

All LastPass products and services are operating normally, says the company.

“While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity,” said Karim Toubba, CEO of LastPass in a blog post.

We recently detected unusual activity within portions of the LastPass development environment and have initiated an investigation and deployed containment measures. We have no evidence that this involved any access to customer data. More info: https://t.co/cV8atRsv6d pic.twitter.com/HtPLvK0uEC

— LastPass (@LastPass) August 25, 2022

LastPass reassures master passwords have not been compromised since the incident occurred in the developer environment. The investigation has shown no evidence of any unauthorized access to encrypted bulk data.

LastPass utilizes a zero-knowledge model to ensures that only customers have access to decrypt vault data. The company also affirms that no evidence of any unauthorized access to customer data in the production environment was compromised.

LastPass does not have any recommended actions on behalf of users and administrators, however, they do note to follow best practices around setup and configuration of LastPass.

The post LastPass Confirms Security Incident appeared first on My TechDecisions.

The Boston, Mass.-based company says the launch of passwordless login comes as the company is committed to a standards-based FIDO-supported passwordless future. The announcement comes shortly after tech giants announced their support for a passwordless future. Apple, Google and Microsoft announced in May plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. That capability is designed to allow websites and apps to offer secure passwordless sign-ins to consumers across devices and platforms.

In addition to enhanced security, the company bills this new capability as a way to fill gaps left by other identity providers, increase productivity by removing the need to reset forgotten passwords, create higher adoption of password managers.

Chris Hoff, chief secure technology officer at LastPass, says the company is the only to offer passwordless login to a password manager.

“While broad implementation and adoption of passwordless is the industry’s ultimate goal, it will likely take years before people experience an end-to-end passwordless login across all applications, but LastPass helps get you there sooner,” Hoff says.

The company says it is actively building FIDO2 compliant components and supporting authentication mechanisms, such as biometric face and fingerprint ID, and the addition of hardware security keys which are expected to be added to the passwordless offering later this year.

These passwordless login abilities eliminate the need for the master password as the primary method of authenticating a user logging into a LastPass vault.

The company says it is committed to providing customers with passwordless potions with the goal of completely removing the need for a master password.

“Authentication is a critical component of any zero-trust architecture and bringing that to users at scale is how businesses can enable greater security and enhanced user experience. We applaud LastPass for continuing to evolve their offerings to bring a passwordless login experience to users around the world, helping to break the dependence on passwords and usher in a safer way to interact online,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance, in a statement.

The post LastPass Launches Passwordless Login to Vault appeared first on My TechDecisions.

While companies like Microsoft and Google are using World Password Day to encourage organizations to move toward more passwordless solutions and different forms of authentication, passwords are still very much a part of the IT infrastructure at most organizations.

According to a recent IDC study commissioned by password manager LastPass, 83% of security breaches leveraged an identity-related compromise, such as phishing, suggesting a clear need for better identity and access management solutions.

The study found that balancing security requirements and user experience for employees is the top identity challenge for IT professionals, followed closely by employees struggling with too many passwords at 32%.

“This really speaks to the prevalence and just how pervasive password problems really are in organization,” says Katie Petrillo, director of product marketing at LastPass, in an interview with TechDecisions.

According to Petrillo, the study indicates that these password and identity challenges are not new at all, but have been heightened due to the pandemic and rise of cyberattacks targeting user credentials.

While acknowledging that passwords are “one of the oldest aspects of the internet and super outdated,” the fact is that they remain the center of attention when it comes to account security.

“They seem mundane and antiquated, but we’re having so much conversation around them still, and needing to solve for them,” Petrillo says.

IT giants such as Google, Microsoft, Apple and others have been pushing passwordless solutions, and Petrillo acknowledges that day may indeed come some point down the road, but not overnight due to the sheer number of passwords and the massive overhaul of IT architecture that would be involved in such a drastic shift, Petrillo says.

Another study, this one from password manager provider Bitwarden, finds that 85% of Americans reuse passwords across multiple sites, and about half rely on their memory alone to manage passwords.

Even more alarming is the study’s finding that just 32% of Americans are required to use a password at work.

According to Gary Orenstein, chief customer officer at Bitwarden, the proliferation of the cloud, software-as-a-service (SaaS) and single sign-on (SSO) are all key reasons. However, passwords have still not gone away, and they won’t for a while.

“But sort of in the midst of all that, there was a little bit of forgetting that we have to start from square one, which is how do we help people with generating a strong and unique password? There’s still a wide range of things beyond the world of SSO—everything from the office Wi-Fi password to some service that may not be SSO enabled,” Orenstein says.

While tech giants are paving the way for more passwordless experiences, Orenstein says password managers can still play a part.

“I live a virtually passwordless life today with how I use Bitwarden,” Orenstein says. “I log in with biometrics if I need to go to a new website and log in Bitwarden and have it generate a strong and unique password for me. I’m auto-filling my passwords, not typing them in anywhere because Bitwarden does all the auto-filling.”

Orenstein points to emerging standards such as FIDO2, which Bitwarden actually supports as a passwordless authentication capability.

Other methods such as security keys and biometrics can be integrated with existing identity solutions from SSO providers to become part of the solution that gets organizations to a passwordless environment, he says.

“I think there is a merging,” Orenstein says.

The post Password Managers Still Have A Place Despite Passwordless Push appeared first on My TechDecisions.

The integrations with PingOne and PingFederate enables end-users to securely access LastPass, providing automated provisioning and deprovisioning for IT Admins and simplifies user access for employees by eliminating the need for an additional password, all without compromising security, according to the company. With LastPass’ cloud-based IdP integrations, businesses can manage users and deploy federated login once, without the need for additional overhead, plug-ins and maintenance.

Related: LogMeIn To Establish LastPass as Independent Cloud Security Company

“The LastPass integrations with PingOne and PingFederate provide enterprise companies the ability to easily connect employees to their work while leveraging the technology and solutions that businesses have already implemented,” said Dan DeMichele, vice president of product management for LastPass, in a statement. “Adding Ping Identity as an integration partner is a big win for LastPass Business and we’re proud to serve companies of all sizes with added security and simplified access,” he said.

“Customers have communicated the value they would gain by integrating PingOne and PingFederate with the secure password storage of LastPass to improve convenience and security for IT teams and end-users,” said Loren Russon, VP of product management and design for Ping Identity, in a statement. “With our new integration with LastPass, together we provide a secure approach to identity and password management that delivers a seamless login experience for our customers.”

Federated login offers additional security without complexity and LastPass’ unique and enhanced federation model ensures security with zero-knowledge infrastructure. Additional benefits include:

• Simplifies user access: Alleviates login frustrations and easily connects employees to their work, all while leveraging the technology and solutions the organization has already implemented
• Eliminates additional passwords: Employees only need one password to unlock work – their Ping login. Simplify access and boost productivity by providing a passwordless experience (one less password required to access the user’s vault).
• Increases adoption: Simplifies the end-user enrollment process by removing the need for a master password, providing employees’ immediate access to the credentials they need to do their work, removing login frustrations.
• Automates identity management: Save time and resources while scaling password management across your organization by automating provisioning between your identity provider and LastPass. Easily ensure no data leaves the business when employees do.

The post LastPass Business Announces Integrations with PingOne and PingFederate appeared first on My TechDecisions.

Just recently, we have covered several studies from IT companies about the importance of securing end users’ credentials. One such study from Specops found that malicious cyber actors are adapting to password security trends by using complex passwords in brute force and spraying attacks. Another study, this one from NordPass, reveals that a significant amount of companies still have users that are keeping track of passwords in plain text documents that are not password protected. This is happening even as the number of exposed credentials increased last year by 15%.

The state of the IT industry is not helping, as more and more cloud apps designed to help organizations shift to an increasingly digital environment defined by remote and hybrid work models. Along with those apps come another set of credentials that IT has to manage.

According to a recent IDC study sponsored by LastPass, the sheer volume of passwords used in the enterprise is the number one identity challenge. That issue rises above other pain points, such as user access, authentication controls, and dealing with legacy systems.

“This really speaks to the prevalence and just how pervasive password problems really are in organizations,” says Katie Petrillo, director of product marketing at LastPass.

According to one 2021 LastPass study, workers have to remember between 50 and 120 passwords, which can lead to poor password security practices and compromise of accounts. Further, LastPass says 65% of people almost always reuse the same password or a variation, and 45% didn’t change their password even after a breach occurred.

“These are not new challenges,” Petrillo says. “They are very much heightened by the pandemic and remote work and the rise of cyberattacks that we have been seeing over the last couple of years.”

According to the LastPass/IDC study, balancing security requirements and user experience is the top identity challenge (38%), following by employee struggling with too many passwords (32%).

At large organizations, the amount of passwords is a key challenge for 36%, while 40% of the public sector says the same.

While much of the focus when it comes to credential security has been on tools such as single sign-on or multifactor authentication, a password management solution has been deployed at 45% of organizations according to the LastPass/IDC study.

The COVID-19 pandemic and the resulting exodus out of the office to remote work environments brought about an urgency for solving some password security issues, but what was lacking was a solution to the dozens of passwords workers must remember, Petrillo says.

“I think some of this is due to like the disparate nature of remote work, but also how traditional identity and access management (IAM) solutions are not really built to solve for passwords in this remote environment,” Petrillo says. “Because you have employees that are working all over the world and they’re no longer mostly confined to like an office network and an office security perimeter, which is what a lot of the traditional IAM tools are meant to solve for.”

Employees are now demanding a seamless work experience without getting bogged down in security protocols, with the study finding that one in three global organizations are struggling to balance user experience, productivity and security.

“We’re sort of at the mercy of our employees and what they are doing in their homes or at the Airbnb they’re working from that week,” Petrillo says. “They need to do their jobs and get access, but they need to do so in a way that is simple for them and gives them peace of mind and security.”

The post The Amount Of Passwords End Users Have Is Leading To Poor Security Habits appeared first on My TechDecisions.

According to the company, LastPass is used by more than 30 million users and 85,000 businesses worldwide and is set for strong and sustained growth as consumers and businesses continue prioritizing password security, according to the company.

By establishing LastPass as a standalone business, the company plans to increase investment in the customer experience, go- to-market functions and engineering to accelerate its organic growth in password management, Single Sign-On (SSO) and Multi-factor Authentication (MFA). Customers will experience planned enhancements on an accelerated timeline in 2022, with the benefit of additional dedicated LastPass resources.

“The substantial scale of LastPass, its tremendous growth, and its market leading position and brand makes it a perfect candidate to seize new opportunities as its own standalone company,” says Bill Wagner, president and chief executive officer of LogMeIn.

Listen: My TechDecisions Podcast Episode 80: LogMeIn and Supporting Remote Work

The majority of LastPass’ business is represented by corporate customers. The importance of securing identity verification among consumers and businesses is rising given the rapid proliferation of passwords and the prevalence of unauthorized access by hackers.

“The success we’ve seen across the entire LogMeIn portfolio over the last 18 months proves there is a vast growth opportunity ahead for both LastPass and LogMeIn,” says Andrew Kowal, partner, Francisco Partners. “We assessed our portfolio with a laser focus on unlocking the full potential of our business and identifying how we could best serve customers and accelerate growth across very different markets.”

The global shift to remote working has also fueled the adoption of new accounts and applications; 50 percent of people in the 2021 Psychology of Passwords research reported twice the number of accounts today, compared to pre-pandemic levels.

“Organizations of all sizes across all verticals have applications that lack a SAML or OpenID interface for single sign-on access, and their management is acutely aware of the financial costs and productivity burdens that come with repeated credentials resets,” says Jay Bretzmann, program director, cybersecurity products, IDC. “LastPass clearly sees the opportunity in today’s market, and with today’s announcement, is poised to deliver increased strategic value to customers.”

Using a zero-knowledge security model, LastPass empowers end users to generate, secure, and share credentials seamlessly, and to monitor personal information on the dark web, while providing valuable insight and effortless control to IT teams with the most comprehensive, yet actionable admin console and policy configurations. By reducing credentials through simplified access with SSO and passwordless MFA to cloud and legacy applications, VPNs, and workstations, LastPass can help further improve security for businesses.

Wagner adds,”[The] announcement also reflects our strategic priority to strengthen and invest in our flexible work enablement portfolio across unified communications and collaboration and IT management and support. We believe that LogMeIn is well positioned to continue to deliver strong results and capitalize on the tremendous opportunity in today’s virtual environment.”

The post LogMeIn To Establish LastPass as Independent Cloud Security Company appeared first on My TechDecisions.