LastPass Breach Investigation: An Analysis Through the Lens of Cloud IAM Operations

Apr 25, 2023 | Blogs

This report is an analysis of IAM activities undertaken by the threat actor in the LastPass breach; the source of this analysis is the publicly reported incident timeline from LastPass.

Introduction to the Analysis of the LastPass Cloud Data Breach

This report is a bit different from other traditional breach and incident analysis reports in that it is focused on analyzing the incident from a perspective of IAM (Identity Access and Management) flows. With every cloud breach, it becomes clearer that having a comprehensive understanding of who can access what information is crucial. Complete and contextual visibility over identity and access controls enables cloud operations and security teams to fully manage the risk of unauthorized access, making identity and access fully controllable.

The goal of this analysis is focused on the IAM perspective of the incidents that occurred. This is important because:

  1. Identity and Access Management is the “lynchpin cloud service” that every other cloud service depends upon. No entity or identity can take any action in the cloud without IAM.
  2. Threat actors always leave a cloud IAM footprint in the wake of their enumeration and lateral movement activities.

Analysis of LastPass Cloud Data Breach and Relevant Shadow Access Problems

The following is an analysis of the LastPass DataBreach, outlining IAM Operational gaps that result in Shadow Access problems that enabled each incident/activity.

Timeline Incident/Activity Shadow Access Problem that Enabled Incident/Activity
Aug 8, 2022 1st Identity and Access Breach: Attacker gained access to an S3 bucket containing a) source code folder and b) encrypted backup folder of LastPass customer data.

This was accomplished through an anonymous VPN that bypassed endpoint detection and response capabilities.

Specifically, the attacker leveraged permissions which were never used before by the over-permissioned identity giving it overly-scoped access to folders, including the backup folder of LastPass customer data.

Identity with over-permissioned access used to access data in the cloud.
Aug 12, 2022

Data Exfiltration: External party exfiltrated source code folder and encrypted backup folder of LastPass customer data stored in the same S3 bucket.

Note: the master key for decrypting the data was not available to the over- permissioned identity used to access the folder.

Inability to detect anomalous activity of over-permissioned identity moving data.
Aug 12, 2022 Suspicious Access Activity Detected and Incident Investigation Initiated Inability to quickly detect incidents of access breach and data exfiltration.
Aug 13, 2022 Incident Investigation:
Investigation found that access occurred through an anonymous VPN gateway and anti-evasion tools were used to bypass EDR tools.

Report was submitted and the incident closed.

It is unclear whether the identity used to breach access was still in the system, possibly leaving access open.

Lack of visibility of over-permissioned identity still active/dormant in the system with access to cloud systems.
Oct 26, 2022

2nd Identity and Access Breach
The encrypted data stolen in the first incident contained meta-data that revealed the identities of 4 DevOps engineers who had access to the master key that could unencrypt the data.

The attacker then targeted one of the 4 DevOps engineers and installed a keylogger that captured the master key and then proceeded to exfiltrate all the keys inside the secret vault.

Lack of visibility of compromised DevOps identity and unauthorized access.

For each incident or activity in the timeline of the LastPass data breach, visibility and control of identity and access management in the cloud was the pivotal capability that enabled all further activities (lateral movement, data exfiltration, key logger) by the attacker.

Recommended Best Practices to Prevent Cloud Data Breaches Such As LastPass

Reviewing the timeline of incidents and attacker activity Stack Identity recommends the following best practices to quickly detect and remediate unauthorized, unmonitored and invisible shadow access, thereby preventing the initiation of the entire sequence of events.

Timeline Incident/Activity Recommended IAM Operations Best Practice
Aug 8, 2022 1st Identity and Access Breach: External party gained access to the S3 bucket containing two folders, 1) source code, and 2) encrypted backup folder of LastPass customer data.
  • Continuously monitor the provisioned access risk and policies associated with an identity and remove unused or dormant access and excessive access permissions.
Aug 12, 2022 Data Exfiltration: External party exfiltrates source code and the encrypted backup folder of LastPass customer data.
  • Look for a drift in actions or permissions of a possibly over-privileged identity with access to critical data assets and set notifications via some webhook framework such as Slack.
Oct 26, 2022 2nd Identity and Access Breach

The attacker targeted one of the 4 DevOps engineers whose meta data was available from the initial incident, and proceeded to exfiltrate all the keys inside the secret vault.

  • Keep track of permissions set and/or policies defined for roles providing cross-account access to federated identities.
  • Follow just in time governance for IAM roles that have access to services like KMS and secret vaults and ensure that the keys are periodically rotated.
  • Generate reports every 24 hours to monitor access to the Key Management Services and avoid using permanent secret/access keys for any orchestration/backup platforms storing the key-value pair to access the data assets.
  • Keep track of who has access to what and what actions manifest into weak links.

Collectively; IAM Risks, vulnerabilities, threats and operational gaps have a huge and critical impact on modern cloud data breaches and incidents. Yet, the IAM operational dimension is not viewed with a level of criticality and relevance. Incident after incident calls out IAM as a bullet or a footnote in the forensics analysis. This much is certain. When there are several thousands of APIs and programmatic ways to acquire and elevate access means it’s only a matter of time before access is breached.

Our goal is to call attention to this IAM dimension and learn via these breaches what can be done differently to strengthen Cloud IAM Operations to mitigate this risk.