The Organization’s website says it is a provider of “password and identity management solutions.” One of the Organization’s products / solutions is “a secure digital vault for passwords and login details…” As part of its operations, the Organization “uses Amazon Web Services (AWS) for routine cloud storage, archiving and back up services…” On November 2, 2022, the Organization was alerted to suspicious activity within its cloud storage environment. On November 27, 2022, the Organization identified that “there was a sufficient likelihood of customer data being accessed.” On December 15, 2022, the Organization confirmed that a “backup copy of the user main database and encrypted vault data was exfiltrated from the [Organization’s] AWS account.” A March 1, 2023 public notice explained “The threat actor was able to copy five of the Binary Large Objects (BLOBs) database shards that were dated: August 20, 2022, August 30, 2022, August 31, 2022, September 8, 2022, and September 16, 2022. This took place between September 8 – 22, 2022.” An investigation determined this incident was the result of a series of cyberattacks that took place in August 2022, in which a threat actor targeted a software engineer and a DevOps engineer. The threat actor ultimately deployed malware on a “DevOps engineer’s home computer,” leading to the compromise of a “LastPass corporate vault.” “The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.” The attacker “engaged in … enumeration, and exfiltration activities aligned to the cloud storage environment spanning from August 12, 2022 to October 26, 2022.”
P2023-ND-014
File Type:
pdf
File Size:
835 KB
Categories:
2023