While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication. He threat actor gained access to the Development environment using a developer’s compromised endpoint. N unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account.Ī follow-up announcement about a month later was similarly inconclusive: Not impossible, but improbable on the scale of a useful attack.Popular password management company LastPass has been under the pump this year, following a network intrusion back in August 2022.ĭetails of how the attackers first got in are still scarce, with LastPass’s first official comment cautiously stating that: But this is probably akin to guessing what code the user was sent over SMS. One could simply attack the crypto involved, bypassing the need to "have" the HSM involved. Given an HSM is standard practice for most cloud based storage of PII hopefully LastPass did this and these encrypted backups will stand the test of time. One has to "have" the HSM (or more accurately have access to the HSM) to decrypt anything. These have strong assurances that private portions of key material can never leave the HSM. If the key can be turned into something one has it's a lot stronger. If an attacker can exfiltrate ("know") both the encrypted data and the key, it's game over. Remember the multiple factors know, have and are. How does one mitigate the effects of the LastPass leak The user's MFA has no bearing on an offline attack against the encrypted stores. Further decryption isn't really authenticating the decryptor, so the acronym doesn't really fit. There is no way to involve a random number sent over text in the process. Encryption is deterministic, given an input and key, it will always decrypt.
0 kommentar(er)
