A significant security breach has compromised the password management platform LastPass, originating from a lapse in software maintenance by one of its engineers. This incident underscores the critical risks associated with neglecting timely software updates.
In a disclosure made last week, LastPass provided insights into how attackers leveraged information obtained from an earlier breach prior to August 12, 2022, and combined it with data from a third-party breach and a vulnerability found in a third-party media application to orchestrate a coordinated attack between August and October 2022. This assault ultimately allowed the perpetrators to retrieve partially encrypted password vaults and customer information.
The second wave of this intrusion was particularly focused on a single DevOps engineer within the company. The attackers deployed keylogger malware to target this individual’s home computer, successfully capturing their credentials and infiltrating the cloud storage environment employed by LastPass.
This breach was facilitated by exploiting a nearly three-year-old vulnerability within Plex, which had since been patched. Plex confirmed to The Hacker News that the targeted engineer’s failure to install the update enabled the attackers to execute malicious code on their machine.
The exploited vulnerability, designated as CVE-2020-5741 and rated with a CVSS score of 7.2, presents a deserialization flaw affecting the Plex Media Server installed on Windows. It allows a remote, authenticated attacker to execute arbitrary Python code under the permissions of the operating system user currently logged in.
Plex indicated that this vulnerability allowed attackers who had access to the server administrator’s Plex account to maliciously upload files through the Camera Upload feature, which the media server would execute. This vulnerability was initially identified and disclosed to Plex by Tenable in March 2020 and was patched in the version released on May 7, 2020. As of now, the latest version available is 1.31.1.6733.
Tragically, the LastPass employee had neglected to upgrade their software to implement the necessary patch, with Plex noting that the version which rectified this issue was approximately 75 iterations behind the current release.
