The Week in Security: LastPass shares disturbing breach details, CISA calls for software maker liability

This week: New details expose that the recent hack on LastPass was worse than previously thought. Also: CISA has called for software makers who develop insecure software to be held liable.

This Week’s Top Story

LastPass breach worse than previously thought

LastPass, a password management company, had a rough ending to 2022. Reason being, the company suffered a hack in August of last year, sharing that attackers had accessed LastPass’s development environment, taking portions of their source code and proprietary technical information. New details were then shared by the company in December of 2022 that hackers also stole vault data containing encrypted and unencrypted data from the company, including customer information.

Now, ZDNet has shared the latest development on the LastPass breach, showing that it was more detrimental than previously thought. In a recent statement, the company said that hackers have used information stolen in the August 2022 attack, as well as other breaches and exploitations, to launch a second attack on LastPass. This new attack targeted a senior DevOps engineer at the company by compromising their home computer. This specific engineer had the required high-level authentication necessary to use the decryption keys required to access the company’s cloud storage service.

According to ZDNet, the exact details of LastPass’s latest attack are not certain. However, the company did share that the engineer’s computer was attacked as a result of “a vulnerable third-party media software package.” This then allowed the attackers to install keylogger malware onto the engineer’s computer, which gave the hackers access to whatever the employee typed on their machine. By doing this, the attackers were able to steal the master password to gain access to LastPass’s corporate vault, “which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups," according to the company.

LastPass is now taking several security measures to handle the latest attack, and is urging both business administration users and general customers to change their master passwords.

[ See a roundup of response to the LastPass revelations in this week's Secure Software Blogwatch ]

News Roundup

Here are the stories we’re paying attention to this week…

CISA Director says companies should be made liable for insecure software products (The Washington Post)

Congress should advance legislation allowing software manufacturers to be held legally liable for the insecurity of their products, and it should also shield companies that develop secure software from legal liability, Cybersecurity and Infrastructure Security Agency Director Jen Easterly said this week.

'Major' data breach reported by U.S. Marshals Service, with sensitive data being potentially exposed (USA Today)

Agency spokesman Drew Wade said the incident targeting a "stand-alone" system was discovered Feb. 17, prompting officials to "disconnect" its operation while launching an investigation into what authorities described as a "major incident."

Hackers claim they breached T-Mobile more than 100 times in 2022 (Krebs on Security)

Three different cybercriminal groups claimed access to internal networks at T-Mobile in more than 100 separate incidents throughout 2022, new data suggests. In each case, the goal of the attackers was the same: Phish T-Mobile employees for access to internal company tools, and then convert that access into a cybercrime service that could be hired to divert any T-Mobile user’s text messages and phone calls to another device.

Why software teams should care about Biden's 2021 cybersecurity act in 2023 (CPO Magazine)

Dotan Nahum of Check Point Software Technologies argues that while it’s been two years since its enactment, it’s important to remind companies why President Biden's 2021 Executive Order on Improving the Nation's Cybersecurity is critical to follow.

Cybercriminals targeting law firms with GootLoader and FakeUpdates malware (The Hacker News)

Six different law firms were targeted in January and February 2023 as part of two disparate threat campaigns distributing GootLoader and FakeUpdates (aka SocGholish) malware strains.