Post AT8TLYFFgtLukcphFg by thegibson@hackers.town
 (DIR) More posts by thegibson@hackers.town
 (DIR) Post #AT7wMQIFRYb1tL2fwm by briankrebs@infosec.exchange
       2023-02-28T02:28:05Z
       
       1 likes, 0 repeats
       
       We're getting some more detail from LastPass about their two breaches last year that were from the same attacker. There's a lot to unpack here, but this detail about targeting a LastPass DevOps employee on their home computer is somewhat sobering:"Due to the security controls protecting and securing the on-premises data center installations of LastPass production, the threat actor targeted one of the four DevOps engineers who had access to the decryption keys needed to access the cloud storage service.""This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault."'https://support.lastpass.com/help/incident-2-additional-details-of-the-attack
       
 (DIR) Post #AT80hbQncykSKiOen2 by thegibson@hackers.town
       2023-02-28T04:01:02Z
       
       0 likes, 0 repeats
       
       @briankrebs let's get down to brass tacks.Anyone who works at a vendor with wide-reaching access to customer environments needs to be fully aware that they are likely a target.I have this talk with my team regularly.This isn't the first.SolarWinds, Kaseya, this... On and on.
       
 (DIR) Post #AT80hc0xSXfi8rJX9M by thegibson@hackers.town
       2023-02-28T04:04:23Z
       
       0 likes, 0 repeats
       
       @briankrebs further, I don't blame the company, their practices, nor the employee.A determined attacker is very different than defending against low hanging fruit attacks.We should all be taking this time to get our own houses in order, rather than press blame.
       
 (DIR) Post #AT80hcZLOhB3rVOzkO by adam@hax0rbana.social
       2023-02-28T05:19:06Z
       
       0 likes, 0 repeats
       
       @thegibson @briankrebsI dunno, letting employees use "personal resources" to access the keys to production backups with the most sensitive client data is a pretty bad practice.Fix that and you can be confident they won't be logging in as an administrator everyday, that they won't have unpached vulns, etc.I agree that anyone subject to this level of threat (like storing the passwords of hundreds of thousands of people) should be aware of what they're up against.
       
 (DIR) Post #AT81CHKsOO94z8Fmca by thegibson@hackers.town
       2023-02-28T05:24:42Z
       
       0 likes, 0 repeats
       
       @adam @briankrebs You're not wrong.But that time passed when the failure occurred in my book. Time to learn, plan and adjust. Far more benefit there.
       
 (DIR) Post #AT8TLSWOyDVP04oJ9M by Wrewdison@hackers.town
       2023-02-28T05:17:26Z
       
       0 likes, 0 repeats
       
       @thegibson @briankrebs while true, I think there’s a lot of blame that can be absorbed by LastPass here.  They had some pretty shady practices and have tried to play down the severity several times.  I’m not one to cast stones - I know how hard this shit is - but they did drop the ball a few times.  We ALL need to learn from it and step up our game.Fully agree we need to get our houses in order. I’m just not quick to let them off the hook.
       
 (DIR) Post #AT8TLTDIOjoh96sZ0a by thegibson@hackers.town
       2023-02-28T05:19:02Z
       
       0 likes, 0 repeats
       
       @Wrewdison Pulling Krebs off here, to not blow him up.You're not wrong.But that time passed when the failure occurred in my book. time to learn, plan and adjust. far more benefit there.
       
 (DIR) Post #AT8TLU7J2UcTwp5IJM by Wrewdison@hackers.town
       2023-02-28T05:32:39Z
       
       0 likes, 0 repeats
       
       @thegibson I’d agree except they’re still tricking out the info about it, and doing so in sneaky ways.  That’s my major issue - they’re slowly trickling details out and actively trying to downplay the severity.   Note I don’t disagree with what you’re saying about learn, plan, and adjust… but we can do that while still holding them to account.
       
 (DIR) Post #AT8TLV6HNnOOzvbzLk by thegibson@hackers.town
       2023-02-28T05:34:11Z
       
       0 likes, 0 repeats
       
       @Wrewdison No doubt there... My earlier post alluded to that.I just see where a similar thing could easily happen in nearly any org that manages wide swaths of customer environs.I don't think any of us could not be hit by a determined attacker given enough time.
       
 (DIR) Post #AT8TLW4Bn3JZzjdpjM by thegibson@hackers.town
       2023-02-28T05:34:54Z
       
       0 likes, 0 repeats
       
       @Wrewdison Also, my real question is... This is a lot of data... no detection of exfiltration is kind of telling too.
       
 (DIR) Post #AT8TLX6LwUdjCjf4k4 by Wrewdison@hackers.town
       2023-02-28T05:37:24Z
       
       0 likes, 0 repeats
       
       @thegibson that is telling and baffling to me.  How do you not notice?!
       
 (DIR) Post #AT8TLYFFgtLukcphFg by thegibson@hackers.town
       2023-02-28T05:39:43Z
       
       0 likes, 0 repeats
       
       @Wrewdison right?That is my main question here... Possible that the data was laundered through that Plex server I suppose... may not have had any sensors on it that fed their detection systems?
       
 (DIR) Post #AT8TLZPZM1CQMufRyK by maddiefuzz@hackers.town
       2023-02-28T05:42:05Z
       
       0 likes, 0 repeats
       
       @thegibson @Wrewdison There was a Plex server involved?
       
 (DIR) Post #AT8TLaTrNYE3gVgOIa by thegibson@hackers.town
       2023-02-28T05:44:56Z
       
       0 likes, 0 repeats
       
       @maddiefuzz @Wrewdison apparently, yes. unclear as to whether plex was on the work laptop, or another device was being used to access work data that was out of band.
       
 (DIR) Post #AT8TLbBok7O5sqFUoa by earthshine@hackers.town
       2023-02-28T07:55:12Z
       
       1 likes, 1 repeats
       
       @thegibson @maddiefuzz @Wrewdison good time to remind all my selfhosting homies that you should be following good security practices at home and not allowing insecure devices to have free reign of your networks. There's likely a lot of steps along the way where this could have been thwarted by some common sense practices... but the nature of an APT is that they don't give up the first time or the hundredth time you thwart their attacks. Leave no weak links in the chain to be discovered. P.S. plex sucks.
       
 (DIR) Post #AT8gmkeuwWA6TW8cBU by feld@bikeshed.party
       2023-02-28T13:10:17.776957Z
       
       0 likes, 0 repeats
       
       Plex doesn't act like a file server so how would that even work? You'd have to add data to the media library that it can't process and try to fetch it from the same Plex account on another device you control? Or share your library with another account? I'm skeptical this would work well, especially with email notifications on account activityTheir corporate firewall would have to get bypassed somehow (port 32400 not open) and Plex doesn't do that automatically except with Plex Relay that goes through their cloud. But Plex Relay doesn't serve raw files so it needs to be valid media that can be transcoded to a stream that is 2mbit for paying users and 1mbit for free users.This would be a nearly possible way to exfiltrate.PS if you use my FreeBSD port for Plex I have an option to not even install the Plex Relay binary