LastPass Update: Senior Engineer’s Home Network Hacked, Key Material Stolen, Corporate Vaults Lost
3–6–2023 (Monday)
Hello and welcome to Cyber Risk at Deal Speed, your weekly video update on the one big thing in cybersecurity for private equity investors and the management teams of their portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday March 6th, and you can tell that we’re starting to feel a touch of Spring here in the Pacific Northwest because we can move beyond our all black and grey color palate in our wardrobes.
You might think this week’s one big thing would be the long-awaited announcement of President Biden’s National Cybersecurity Strategy, which finally arrived last Thursday.
But it’s not - and the reason that it’s not is that what we’re doing here is trying to distill the cyber news into things we can action as leaders and investors, really exploring that “So what?” question around the changing risk landscape.
Unfortunately, at this point, there’s really not much change coming out of this National Strategy document until we see new regulations from Congress. So, while I think it’s a massive shift, the pace is simply too slow to spend time on right now.
Instead, we’re going to focus on some additional news from a story we’ve covered before: the breach at password vault LastPass. Let’s dive in.
Things Get Worse for LastPass - And For Us
Last week, an undated blog post was published by password vault provider LastPass that offered additional insight into the incident they suffered earlier in the year where backups of customer password vaults were stolen.
Previously, we’d thought that since the vaults were encrypted and the key material wasn’t compromised, we could minimize our concerns. What we learned in this new update, however, is that attackers did, indeed, compromise the key material required to decrypt these vaults - and they did it by attacking a Senior DevOps Engineer’s home network, home computers, and ultimately the master password for their own LastPass vault with the key material.
Apparently, there were only 4 people at LastPass with the key to access this corporate vault, but attackers were able to not only find this person, but find their home network, find a way in, patiently wait for them to open the vault, and exfiltrate the material. This suggests a pretty sophisticated operation - certainly one that most companies would be ill prepared to defend against - but instead of throwing our hands up against Advanced Persistent Threats, let’s look at the real weak spot here.
The real reason this attack was able to take place successfully is that LastPass allowed employees to access corporate resources from personal devices. This is something that’s often overlooked in BYOD deployments - which typically focus on mobile devices like your iPhone - but the truth is that managing the endpoints, including gaining visibility and telemetry that can indicate malicious activity, can be the saving grace in instances like this.
Indeed, LastPass only learned about the second incident when Amazon warned them about anomalous activity “when the threat actor tried to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.”
By ensuring that your company is managing both the endpoints and the network - i.e. using corporate issued, managed, patched, updated, and monitored laptops AND ALSO requiring employees to utilize VPN connections with multi-factor authentication - can significantly reduce the likelihood of events like this.
There are other benefits, as well - including data retention and privacy compliance benefits - but also some CapEx and OpEx costs to procure, deploy, and manage these machines.
Like everything in security, there are no solutions, only tradeoffs. This tradeoff, however, didn’t work out well for LastPass, and it’s generally not something that I would recommend for companies who handles sensitive data (like password vaults, of course, or payment data, healthcare data, regulated data, PII, IP, etc.).
I understand that this is yet another element to pay for and manage, but as you consider your own situational awareness, owning the endpoint - whether you own it or the attacker owns it - can make all the difference.
Fundraising
Back to big numbers this week - with nearly $16B in newly committed capital, the largest week in more than a month. Remember, too, that when we track these fundraising activities, it’s only funds who have actually closed - not announcements of opening or target numbers. This is actual capital, committed and ready to be called and invested.
Led this week by Crescent Capital Group’s $8B private credit fund, we’re seeing a range of fund types, sizes, and geographies - which bodes well for all involved. Concentrations of any type are, of course, often a warning sign.
You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next Monday for another edition of Cyber Risk at Deal Speed.
Links
https://support.lastpass.com/help/incident-2-additional-details-of-the-attack
https://infosec.exchange/@briankrebs/109940001072018363
https://techcrunch.com/2023/02/14/security-breach-blame-employees/