Malware Activity
LastPass Password Manager Discloses Security Incident Involving Customer Vault Data and PII
LastPass, a leading password manager, disclosed on December 22, 2022, that it has suffered a security incident involving an unauthorized party exfiltrating a backup of customer vault data and other personally identifiable information (PII) through a cloud-based storage service. Karim Toubba, the CEO of LastPass, released a notice explaining that the third-party actors gained access to this service by leveraging information obtained from the company's security incident that was disclosed in August 2022. In August, actors exfiltrated a portion of the platform's source code and technical information from a development environment but did not have access to customer data. The August data was used to "target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service." Toubba continued to detail that some of the copied data contains "basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service." The customer vault data that was stolen contains both unencrypted data (such as website URLs) and encrypted sensitive fields (such as website usernames and password, secure notes, and form-filled data), which are secured with 256-bit AES encryption. It is emphasized that the encrypted data can only be decrypted with a unique encryption key derived from each user's master password, which is "never known to LastPass and is not stored or maintained by LastPass," using the platform's Zero Knowledge architecture. Actors that have access to the exfiltrated data may attempt to target LastPass customers with phishing attacks, credential stuffing, or brute force attacks to gain master passwords and decrypt the exposed vault copies. However, users that reuse their master password on other platforms that also use their email address or telephone number are recommended to change all the passwords that are saved in their vaults, as actors may use already available data dumps of compromised credentials to attempt to access users' accounts. CTIX analysts will continue to monitor this security incident and report on advancements in the next coming weeks when applicable.
Threat Actor Activity
RedDelta Targets Europe & South Asia in New Espionage Campaign
Threat actors associated with the RedDelta threat organization recently launched a new campaign targeting entities throughout Europe and Southeast Asia. Historically, RedDelta (also tracked commonly as Mustang Panda/TA416) has conducted numerous long term cyberespionage campaigns pertaining to Chinese government interests. These targets have included government entities, public sector operations, and overseas organizations associated with minority groups. In their recent campaign, initial infection from RedDelta actors originated from spear phishing emails containing a malicious attachment disguised as a Microsoft Word document were delivered to the targeted users. Generically, these documents were themed around government and migration policies within Europe. Threat actors utilized a double extension method for masking attachment integrity, simply by showing a ".doc.lnk" extension supported by a Microsoft Office icon next to the file download. Once all dependencies are established, the malicious code begins to decrypt the “PlugX” payload and mount it to the compromised system. After installation, PlugX maintains the capabilities to harvest keystroke data, upload/download/modify files, remote camera access, and full access to the Windows command line. RedDelta customized their version of PlugX malware to include advanced evasion/detection techniques to mask its illicit activity on the compromised system. CTIX continues to urge users to validate the integrity of all email correspondence prior to opening any attachments or visiting embedded links.
Vulnerabilities
Password Management Solution Passwordstate Discloses Six Vulnerabilities
Passwordstate password management solution has had multiple high-severity vulnerabilities disclosed this past week. If successfully exploited, remote actors could obtain user’s plaintext passwords. The vulnerabilities allow for unauthenticated threat actors to exfiltrate passwords, overwrite passwords, and continue to elevate privileges within Passwordstate applications. Some of the vulnerabilities, including CVE-2022-3875 (an authentication bypass flaw of Passwordstate’s API), CVE-2022-3876 (a bypass flaw of access controls), and CVE-2022-3877 (a cross-site scripting flaw for every password entry URL field) can be chained together to gain shell access on the Passwordstate host system and consequently cause all the password’s plaintext to be exposed. Three (3) additional vulnerabilities are noted, without CVEs, that involve an insufficient mechanism for security passwords, the use of hard-coded credentials, and the use of insufficiently protected credentials for Password Lists. According to modzero AG's report, a threat actor could use nothing more than a valid username and a forged API token for an admin account to exploit the XSS vulnerability to harvest passwords, export them to a specified domain, and elevate privileges to facilitate the execution of arbitrary remote code. Passwordstate is recommending users update to version 9.6 - Build 9653 to correct this issue. CTIX analysts will continue to monitor for vulnerabilities relating to password management solutions.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
