The attacker that recently breached LastPass lurked around the network for days before being spotted and eliminated, the company has confirmed.
During that time, though, the attacker did not access customer data, or encrypted password vaults, the investigation has shown.
“Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults,” Toubba said.
The attacker was apparently able to access the company’s Development environment through a developer’s compromised endpoint.
The investigation and forensics did not manage to determine the exact method used for the initial endpoint compromise, Toubba did say the attackers utilized their persistent access to impersonate the developer after successfully authenticating with MFA.
Code is safe
LastPass also said there was no evidence of the threat actor trying to inject malicious code, probably because the Build Release team is the only one that can push code from Development into Production. Even then, Toubba added, the code needs to be reviewed, tested, and validated. What’s more, Toubba said that the LastPass Development environment is “physically separated” from the Production environment.
To ensure an incident like this one does not repeat, LastPass deployed “enhanced security controls including additional endpoint security controls and monitoring,” together with extra threat intelligence features and enhanced detection and prevention technologies. These technologies were deployed in both the Development and Production environment.
Late last month, the company spotted “unusual activity” and, following an investigation, discovered a security compromise.
The initial investigation found no evidence of threat actors accessing customer data or password vaults, meaning no action from end users was required.