Categories
Cybersecurity Advisories

LastPass Reveals Additional Details of Their Second Hack

LastPass shared additional updates regarding the second security incident that was disclosed in December where an unnamed threat actor combined data stolen from a breach in August 2022 with information from another data breach, and a vulnerability in a third-party media software package to launch a coordinated attack. In this attack, the threat actor targeted a senior DevOps engineer by breaching their personal home computer and exploited vulnerable third-party software. They installed a keylogger, bypassed existing controls, and gained unauthorized access to cloud backups. 

The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault. The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.

In the aftermath of the incident, LastPass claimed to have upgraded its security posture by rotating critical and high privilege credentials and reissuing certificates obtained by the threat actor. In addition, they applied extra S3 hardening measures to put in place logging and alerting mechanisms. LastPass has released a new security advisory and a PDF detailing further information about the breach and the stolen data. The parent company of LastPass, GoTo, announced that it will inform individuals if their data has been breached and provide “actionable steps” to ensure greater security for their accounts. It is highly recommended for LastPass users to change their master passwords and all the passwords stored in their vaults to mitigate potential risks, if not done already.

Summary of data accessed

  • DevOps Secrets – restricted secrets that were used to gain access to our cloud-based backup storage.
  • Cloud-based backup storage – contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data. All sensitive customer vault data, other than URLs, file paths to installed LastPass Windows or macOS software, and certain use cases involving email addresses, were encrypted using our Zero knowledge model and can only be decrypted with a unique encryption key derived from each user’s master password. As a reminder, end user master passwords are never known to LastPass and are not stored or maintained by LastPass – therefore, they were not included in the exfiltrated data.
  • Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.

Additional details can be found here.

Recommendations

LastPass users are strongly urged to change their master passwords and all the passwords stored in their vaults to mitigate potential risks, if not done already.

Mitigations

LastPass has provided two security bulletins to assist customers in their own incident response efforts.

  • Security Bulletin: Recommended Actions for LastPass Free, Premium, and Families Customers. This bulletin guides our Free, Premium, and Families customers through a review of important LastPass settings designed to help secure their accounts by confirming best practices are being followed.
  • Security Bulletin: Recommended Actions for LastPass Business Administrators. This bulletin guides administrators for our Business and Teams customers through a risk assessment of LastPass account configurations and third-party integrations. It also includes information that is relevant to both non-federated and federated customers.

Resources & Related Articles

Categories
Cloud Computing

Cloud Computing and Security

Cloud Computing

The National Institute of Standards and Technology (NIST) describes cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 

Cloud Service Providers (CSP) offer three types of services:

  • Software-as-a-Service (SaaS)
    • This category provides applications and software solutions on demand over the internet, accessible to the user, usually via a web browser. The cloud provider is responsible for nearly all security since the cloud user can only access and manage their use of the application and can’t alter how the application works.
  • Platform-as-a-Service (PaaS)
    • This category of Cloud computing provides a platform and environment for developers to develop, test and deliver software applications. The cloud provider is responsible for the security of the platform, while the user is responsible for everything they implement on the platform, including how they configure any offered security features.
  • Infrastructure-as-a-Service (IaaS)
    • The most basic category of Cloud computing services is Infrastructure-as-a-Service. With IaaS, an organization is renting IT infrastructure; servers, virtual machines, storage, and networks.  The provider is responsible for foundational security, while the cloud user is responsible for everything they build on the infrastructure.  Unlike PaaS, this places far more responsibility on the user.

Organizations have taken advantage of the benefits of cloud computing which include reduced capital expenses, high availability, agility, resiliency, and redundancy.

Cloud Security

When moving services and data to the Cloud, an organization must understand its security and compliance requirements as there is a shared security responsibility model between the organization and the Cloud Service Provider as described above.  The user is responsible for security IN the cloud and the provider is responsible for security OF the cloud.  Depending on the Cloud service that is being utilized, the security responsibility of the user includes patching operating systems as well as the applications.  This is the case in the Infrastructure-as-a-Service offering.  If the user moves to a Platform-as-a-Service offering they are no longer responsible for the Operating System maintenance and the patching of the Operating System. 

Figure 1 graphically depicts the boundaries and ownership of security responsibilities.  Regardless of the services utilized, the user is always responsible for their data security.

Moving to the Cloud?

Is your organization looking to move to the Cloud?  Are you evaluating providers to find out what service will work best for your requirements?  If so, there are a few questions that should be clarified to make an informed decision before committing to a move.

  • What does the Cloud Service Provider offer for Identity and Access Management?
    • This includes identification, authentication, and authorizations (including access management).
    • This is how you determine who can do what within your cloud platform or provider.
  • What security standards are supported by the Cloud Service Provider?
    • Payment Card Industry Data Security Standard (PCI DSS)
    • General Data Protection Regulation (GDPR)
    • Health Insurance Portability and Accountability Act (HIPAA/HITECH)
    • National Institute for Standards and Technology (NIST) SP 800-171
  • Where will your data be located?
    • Some regulatory requirements may dictate where the data is stored and processed
  • What type of automation is offered by the Cloud Service Provider?
    • Automation aids in reducing human configuration errors
  • Do you always “own” your data?
    • Can you encrypt, move, or destroy data at your discretion?
  • How does the Cloud Service Provider handle these five parts of the cybersecurity lifecycle?
    • Identify
    • Protect
    • Detect
    • Respond
    • Recover

Your Data/Your Responsibility

Don’t fall into an “out of sight, out of mind” mode about your data when you move to Cloud services.  It’s your data and the security of that data is, and always will be your responsibility regardless of where it is stored or processed.

Cyber Liability insurance is on the rise and there is an expectation that there are measurable efforts devoted to keeping information secure.  Breaches can cause serious damage to your organization not only financially but from a reputation standpoint as well.

SecurIT360 is an independent, vendor-agnostic Cybersecurity consulting firm.  

If you are interested in a complimentary strategy session, contact us here.

References:

Cloud Security Alliance – Security Guidance for Critical Areas of focus in Cloud Computing

Categories
Cybersecurity Advisories

Fortinet Patches 40 Flaws Affecting FortiWeb, FortiOS, FortiNAC, and FortiProxy

Fortinet released security advisories for 40 vulnerabilities to inform customers of available security patches. Affected Fortinet products include FortiWeb, FortiOS, FortiNAC, and FortiProxy, among others. Two of the vulnerabilities are rated Critical, 15 are rated High, 22 are rated Medium, and one is rated Low in severity. 

CVE-2022-39952 (CVSS score: 9.8) is a severe bug in the FortiNAC solution that could lead to arbitrary code execution. It can be exploited by an unauthenticated attacker to write arbitrary files on the system and achieve remote code execution with the highest privileges. Organizations using FortiNAC 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, and all versions on the 8.8, 8.7, 8.6, 8.5, and 8.3 branches are urged prioritize applying the available security updates (FG-IR-22-300). Additionally, researchers from Horizon3 have recently released a PoC exploit code that is available on the company’s Github repository. FortiNAC administrators are strongly recommended to immediately upgrade to a version of the product that is not affected by the CVE-2022-39952 vulnerability. 

The second flaw, CVE-2021-42756 (CVSS score: 9.3), was discovered more than one year ago and is a set of stack-based buffer overflow in FortWeb’s proxy daemon that could allow an unauthenticated remote attacker to achieve arbitrary code execution via specially crafted HTTP requests. It has been fixed (FG-IR-21-186) in FortiWeb version 7.0.0 or above, 6.3.17 or above, 6.2.7 or above, 6.1.3 or above, and 6.0.8 or above. 

Affected Software 

See: PSIRT Advisories. 

Recommendation 

Organizations are recommended to view the PSIRT Advisories and apply available security updates for affected products. 

Resources & Related Articles 

Categories
Cybersecurity Advisories

Hackers Use Microsoft OneNote Attachments to Spread Malware

Description 

Malicious actors are using a new file format in the form of Microsoft OneNote attachments to spread malware to targets. Since OneNote allows users to insert attachments into a NoteBook, threat actors are abusing this feature by attaching malicious VBS attachments that automatically launch the script when double-clicked to download malware from a remote site and install it. Because the attachments look like a file’s icon in OneNote, threat actors overlay a large ‘Double click to view file’ bar over the inserted VBS attachments to hide them. If the ‘Click to View Document’ bar is moved out of the way, it can be observed that the malicious attachment includes multiple attachments. The threat actors did this in a way that if a user double clicks anywhere on the bar, it’s second click will land on the attachment, resulting in launching the malware. Luckily, when launching the OneNote attachments, the program provides a warning before installation. However, if a victim ignores the warning and clicks OK, it will launch the VBS script to download and install malware. This will allow the threat actor to remotely access a victim’s device to steal files, saved browser passwords, take screenshots, and in some cases, even record video using webcams.  

Fake DHL Email with OneNote Attachment 

Malicious OneNote Email Attachment

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:  

MDR Services 

  • We have added indicators related to known malicious threat actors into our blocklists in our MDR solution, FortiSIEM.  
  • Indicators are provided in the Indicators of Compromise section below if you would like to proactively block them in your firewall.  

EDR Services 

  • In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection.   

As always, if we detect activity related to these exploits, we will alert you when applicable.  

Recommendations 

  • The best way to protect against malicious attachments is to simply not open files from people you do not know. If a file is mistakenly opened, do not disregard the warnings displayed by the operating system or application.  
  • If you see a warning that opening an attachment or link could harm your computer or files, simply do not press OK and close the application.  
  • If you feel it may be a legitimate email, share it with a security or Windows admin to help you verify if the file is safe.  
  • Consider blocking “.one” attachments. See: 
  • OneNote users are recommended to enable multi-factor authentication, use antivirus protection, and follow the best security practices for preventing phishing attacks.    

Detections 

SOC Prime has released rules to detect cyber attacks abusing OneNote attachments. Click here to access the full list of relevant detection content.  

MITRE Summary 

  • TA0002 – Execution 
  • T1047 – Windows Management Instrumentation  
  • TA0005 – Defense Evasion  
  • T1027 – Obfuscated Files or Information  
  • T1036 – Masquerading  
  • T1070.006 – Timestomp 
  • T1497 – Virtualization/Sandbox Evasion 
  • T1562.001- Disable or Modify Tools  
  • TA0006 – Credential Access  
  • T1003 – OS Credential Dumping  
  • TA0007 – Discovery 
  • T1057 – Process Discovery  
  • T1082 – System Information Discovery  
  • T1012 – Query Registry  
  • T1016 – System Network Configuration Discovery  
  • T1083 – File and Directory Discovery  TA0009 – Collection 
  • T1005 – Data from Local System  
  • TA0011 – Command and Control  
  • T1071 – Application Layer Protocol  

Indicators of Compromise (IoCs) 

Resources & Related Articles