 Tom here from warm systems. It is March 2nd of 2023 and no, this is not a new breach from last pass I want to just reiterate that this is just a deeper dive into what happened because friends and investigations take time and Good news is last pass hired Mandiant. Mandiant is a very well respected when it comes to Dealing with this type of situation. They focus on that enterprise market and they do deep dives These deep dives take a lot of time and now we know the results. We know what last pass did wrong They mixed business and personal a DevOps engineer was using his personal computer to do some business work And we're gonna dive into exactly what happened, but I just want to reiterate This is a mistake, but not like an amateur mistake This is a mistake that is well documented in plenty of other places that you don't do this You don't mix business to personal you locked down, especially if you're last pass or any high value target You really create a extremely clear separation. So this doesn't happen Let's dive into the details and the results that they share from their blog post and a little bit of other news that Was from our technique on this topic Now we're gonna start here with the initial details attacked everything. I'm talking about here will be linked down below Despite high confidence in the outcomes our investigation and actions taken in response to the first incident the threat actor leveraged information stolen during the first incident now these are the both the incidents I've talked about already and Then the information available from third-party data breach and a vulnerability and a third-party media package this part I think is really interesting a third-party data breach We don't know what data breach that is but it almost suggests password reuse because if you have a data breach at a third party And they get the passwords those passwords should be unique to that provided You're using a last pass password manager or some other password manager of your choice But the idea is to have a unique password everywhere So I think that's an interesting statement they put in there But we don't know enough details that really tell us how that information was leveraged now the vulnerability a third-party media package We're gonna jump to an arch technique article in a moment to cover that but let's dive into why it took them a little while to figure this out and because Specifically the threat actor was able to leverage failed credentials stolen from a senior dev option engineer to access shared cloud storage environment This is why it took them so long to find because which initially made it difficult for investigation to differentiate between a threat actor Activity and ongoing legitimate activity. This is where It's kind of I don't know why they don't have better controls over this because they do say they're using AWS guard duty alerts when someone comes in from the same VPN or the same IP Maybe this person traveled and they were coming in from a lot of different IPs And that's how the threat actor was able to go Hey, this person bounces around from coffee house to travel and that is a common use case And you have to really be vigilant on monitoring the different IPs your users come in at If you're a company of the stature of lash pass and not everybody does this It is obviously a burden because if you block only maybe a small list of IPs or maybe you filter your VPN to only US IPs we still know where this person live But maybe you geofence them a little bit and flag when something tries to log in outside that geofence And then you have to you know go through a secondary alerting process These are all things that their systems for but I don't think last pass was doing it is the impression I'm getting here. Now. This is where the targeting of that DevOps engineer and the non-proper They just didn't separate their business and work life This was accomplished by targeting the DevOps engineers home computer and exploiting a Vulnerable third-party media software package which enabled remote code execution capability and allow the threat actor to implant a keylogger And I covered this in the Cisco event when Cisco had someone breach their system Cisco knew everything that was typed right down to the typos and I point that out when I covered that breach I have a video link down below and I have a feeling that last pass doesn't have that level of visibility or This was the personal computer that they allowed their company VPN to be loaded So that's a pretty big security Event right here happening all because someone was using their personal computer or maybe they had access on their business computer to load This software. I'm not a hundred percent clear on that But that's not good either way you slice it now Here's the arse technique article and according to a person briefed on a private report from last pass who spoke on the condition of an Anonymity the media software package that was exploited on the employees home computer was Plex and they do point out interesting Plex Reported its own network intrusion on August 24th and this was a password breach over at Plex now This is interesting because that first line I mentioned where they used data from a third party app Now did they just learn this person was using Plex from that because maybe they were using their last pass email address and registered Plex with it Maybe that information is not available to us or did they do some password reuse? I don't know I hope that's not the case but this is an interesting coincidence, but we only have this from our second year We don't know absolutely for certain that was Plex and Plex did comment on this We have not been contacted by last pass so we cannot speak to specifics of their incident because the question is Is there a flaw in Plex? I know a lot of people run Plex and I preached a lot on this channel about keeping everything in separate buckets and separate VLANs separate security So you have your Plex and the things running on one side of the fence and maybe something that you care about like Your work computers on another side now just getting access to Plex and getting access to a local server is one thing But Plex running on your computer is a whole different ballgame and should never be done for a work computer Kind of an odd use case in my opinion But that seems to be related to this incident that media software was involved now I'm gonna leave this link here episode 86 The LinkedIn incident This is a fun deep dive for any of you that are wondering this actually happened a number of years ago So there's plenty of corporate evidence of targeting and I'll highlight. I won't spoil though So the hacker starts by looking at LinkedIn's website for people who work there engineers system administrators Anyone who might have access into that VPN and you know LinkedIn was breaching This is a great dark net Diaries episode that walks through what happens when a threat actor a very determined one has decided He wants to target and there's a lot that goes into this one It's a great episode, but this sophistication was years ago threat actors have gotten better out worse One of the points I just really want to hammer home in this video is this is why I talk so much about separation of things Because you're worried about your computer being compromised if you do work you do personal work You're a home user even more so when you're a business user and that gets amplified if you're a Enterprise business usually you work for a large company that has something that a large threat actor is interested in whether it's to ransomware to gain access to steal intellectual property These are more and more reasons you can keep things very very separate. We do this internally with my company We do not load extra software. There's not my employees even the ones that work from home They are provided a computer to do so and I'm a small little company here doing this. It is just imperative It's important I want people to really think about it because these things happen that dark net Diaries episode like I said it's an older one But boy, is it good? I just it'll walk you through it Just you know, I like dark and Diaries is in general But it really walks you through the sophisticated attacks that are occurring when there's a high value on the other side home users I will say could be attacked on this This is one of those things that come up sometimes of you know How worried should I be if I'm running plex and I don't know do they want to steal your plex library? Do they want to encrypt it ransom you could you pay it threat actors do go after home users that got a more Automated way if there's a problem, they'll exploit it But it's still good Practice and if you are a home user and a lot of you have a job in corporate Even if that job may not be technical You still may be a target for things like this because if your company has something they can exploit It's all about figuring out ways to be leveraged inside. So let me know your thoughts down below Head on my forums for more in-depth discussion and thanks