LastPass Breach & Crypto Scams - Feb 27 to Mar 3, 2023- F5 SIRT - This Week in Security
Jordan here as your editor this week. This week I reviewed the LastPass breach, cryptocurrency scams, and a novel technique for cryptojacking on misconfigured Redis servers. Keeping up to date with new technologies, techniques and information is an important part of our role in the F5 SIRT. The problem with security news is that it's an absolute fire-hose of information, so each week or so we try to distill the things we found interesting and pass them on to you in a curated form.
It's also important for us to keep up to date with the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That's why we take the security of your business seriously. When you're under attack, we'll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.
LastPass has disclosed another incident in the saga of their security breach. We've covered the situation a few times already here on TWIS, with articles in December, November, and August so I'll be highlighting the second incident here.
Incident 1 involved the compromise of a LastPass software engineer's corporate laptop, which allowed an attacker to gain access to a cloud-based development environment. The attacker was able to steal source code, technical information, and certain LastPass internal system secrets. According to the disclosure, no customer vault data was taken during this incident as there is no customer vault data in the development environment. The stolen information from this incident was later used to identify targets and initiate the second incident.
Incident 2, which was recently disclosed, involved an attacker who targeted a senior DevOps engineer by exploiting third-party software on their home computer. The attacker used the vulnerability to deliver malware and gained unauthorized access to LastPass' cloud-based backup storage. The attacker accessed DevOps Secrets, cloud-based backup storage containing configuration data, API secrets, third-party integration secrets, and customer metadata, as well as backups of all customer vault data. The attacker also accessed a backup of the LastPass MFA/Federation Database, which was encrypted, but the decryption key was included in the stolen secrets. This database contained LastPass Authenticator seeds, phone numbers used for MFA backup, and a component used for LastPass federation. It's important to note that all sensitive customer vault data, except for certain information like URLs and file paths, was encrypted using the Zero knowledge model. In other words, the attackers got an encrypted version of the vault, but no sensitive data in plaintext.
LastPass has demonstrated transparency in their response to the recent incident, providing customers with detailed information and recommendations. They have taken proactive steps towards enhancing their security measures, including the deployment of new technologies, prioritizing investments in security, and implementing necessary changes to improve platform evolution. By allocating resources to enhance security across people, processes, and technology, LastPass has shown their commitment to ensure the safety of their platform. It seems this incident has resulted in post-traumatic growth, so I'm hoping to hear about more positive changes following their challenging experiences.
A large "rug pull" scam occurred last week, where scammers got away with $2 million in cryptocurrency. Since transactions are open to the public, a visualization can be seen on Twitter that shows the flow of cryptocurrency between the accounts. For those new to cryptocurrency scams, a "rug pull" is one that entices investors to buy a new cryptocurrency promising high returns. Developers use fraudulent tactics such as fake volume, pump and dump schemes to drive up the token price. Once a large amount of funds are collected, developers suddenly exit the project, leaving investors with worthless tokens. For more details on this and other types of cryptocurrency scams, you can view an article I co-authored on the topic.
Cryptojacking and Privacy Coins
The team at Cado Security recently discovered a cryptojacking campaign that takes advantage of misconfigured Redis servers. Redis is an open-source, in-memory data store typically used as a database or cache. In this scenario, attackers compromise exposed systems, write a script as the database contents, and then write the contents to disk as a cronjob using the backup feature. They then use the previously written cronjob to execute the contents, resulting in the execution of arbitrary code. In this case, execution results in the installation of the XMRig crypto miner which is used to perform cryptojacking.