(LastPass)
It turns out the massive breach at LastPass could have been stopped, or at least delayed, if a company employee had updated a piece of software on their home computer.
This week, LastPass revealed the hacker pulled off the breach by installing malware on an employee’s home computer, enabling them to capture keystrokes on the machine. But one lingering question was how the malware was delivered.
At the time, LastPass said only that the hacker exploited “a vulnerable third-party media software package,” without naming the vendor or the exact flaw. That led many to wonder if the hacker had abused a currently unknown vulnerability, which could put many other users in harm’s way.
PCMag has since learned the hacker targeted the Plex Media Server software to load the malware on the LastPass employee's home computer. But interestingly, the exploited flaw was nothing new. According to Plex, the vulnerability is nearly three years old and was patched long ago.
Plex told PCMag the vulnerability is CVE-2020-5741, which the company publicly disclosed to users in May 2020. “An attacker who already had admin access to a Plex Media Server could abuse the Camera Upload feature to make the server execute malicious code,” the company said back then.
“At the time, as noted in that post, an updated version of the Plex Media Server was made available to all (7-MAY-2020),” a spokesperson for Plex said. “Unfortunately, the LastPass employee never upgraded their software to activate the patch. For reference, the version that addressed this exploit was roughly 75 versions ago.”
LastPass declined to comment. But earlier this week, the company confirmed "the threat actor exploited a vulnerability in an earlier, unpatched version of Plex Media Server on a LastPass DevOps engineer’s home computer. We have reached out to Plex Media Server to inform them.”
Why the LastPass employee didn’t update their Plex Media Server is unknown. Plex told PCMag that the company "will provide notifications via the admin UI about updates that are available, and will also do automatic updates in many cases."
"Without more information about all of the specifics, there is no way for us to speculate why this person did not update Plex over such a prolonged period of time," the spokesperson added.
The incident goes to show the importance of keeping your software up-to-date. That said, it’s important to note the hacker already possessed admin access to the employee's Plex Media Server account to exploit the CVE-2020-5741 flaw. This suggests the attacker was already preying on the LastPass staffer, and could have come up with other ways to infect their computer with malware.
Still, the breach at LastPass shows the company made another mistake by allowing the employee to use their home computer to access extremely sensitive data. According to LastPass, the hacker planted keylogging malware on the home computer, enabling them “to capture the employee’s master password as it was entered, after the employee authenticated with MFA (multi-factor authentication), and gain access to the DevOps engineer’s LastPass corporate vault.”
The access then paved a way for the hacker to steal a copy of customers’ encrypted password vaults, along with un-encrypted data on users’ account information, including email addresses and phone numbers. The breach has since shattered trust in LastPass, but the company has been working to bolster its security in response.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
