Full Report
In November 2022, GoTo (formerly LogMeIn) disclosed a security breach of their development environment and a cloud storage service used by them and LastPass (their affiliate).The investigation determined that the threat actor gained access to the development environment using ...
Analysis Summary
# Incident Report: GoTo and LastPass Shared Cloud Environment Breach
## Executive Summary
In late 2022, GoTo and its affiliate LastPass experienced a sophisticated multi-stage cyberattack targeting their shared cloud storage environment. The threat actor leveraged compromised credentials and a vulnerable third-party media codec to gain access to development environments and sensitive backup data. The incident resulted in the theft of encrypted customer vault data, proprietary source code, and internal infrastructure documentation.
## Incident Details
- **Discovery Date:** November 2022
- **Incident Date:** August 2022 – November 2022
- **Affected Organization:** GoTo (formerly LogMeIn) and LastPass
- **Sector:** Information Technology / Software-as-a-Service (SaaS)
- **Geography:** Global (Headquartered in USA)
## Timeline of Events
### Initial Access
- **Date/Time:** August 2022
- **Vector:** Exploitation of a vulnerable third-party software (Plex Media Server) on a senior DevOps engineer's personal computer.
- **Details:** The attacker gained access to the employee's home network and installed a keylogger to capture the master password for the employee’s corporate vault.
### Lateral Movement
- **August - November 2022:** Using the stolen credentials, the attacker gained access to the LastPass/GoTo shared cloud storage environment (AWS S3).
- **Techniques:** The threat actor bypassed Multi-Factor Authentication (MFA) by accessing the employee's workstation via the home network exploit, effectively piggybacking on established authenticated sessions.
### Data Exfiltration/Impact
- **Detailed Impact:** The attacker successfully exfiltrated backups containing customer account metadata (company names, end-user names, billing addresses).
- **Critical Breach:** Encrypted customer vault data (passwords, notes, etc.) was stolen. Although encrypted, the attacker also obtained source code and technical documentation.
### Detection & Response
- **November 2022:** GoTo/LastPass detected unusual activity within their cloud storage service.
- **Response:** Mandiant was engaged to conduct a forensic investigation. GoTo began rotating credentials and hardening their production environments.
## Attack Methodology
- **Initial Access:** Valid accounts and exploitation of a remote work device (Plex vulnerability).
- **Persistence:** Implementation of a keylogger on a personal device to harvest high-privilege credentials.
- **Privilege Escalation:** Harvesting credentials of a DevOps engineer with administrative access to cloud environments.
- **Defense Evasion:** Use of legitimate credentials and domestic IP addresses to blend in with normal administrative traffic.
- **Credential Access:** Keylogging and vault decryption.
- **Discovery:** Cloud environment mapping and identification of backup storage buckets (AWS S3).
- **Lateral Movement:** Pivoting from a personal device to the corporate development environment.
- **Collection:** Gathering data from production backups and source code repositories.
- **Exfiltration:** Transfer of data from AWS S3 buckets to attacker-controlled infrastructure.
- **Impact:** Massive data breach affecting millions of users' encrypted vaults.
## Impact Assessment
- **Financial:** Significant legal fees, forensic costs, and a drop in stock/valuation following the disclosure.
- **Data Breach:** Compromise of nearly 30 million users' data, including encrypted vaults and unencrypted metadata.
- **Operational:** Diversion of engineering resources toward remediation and infrastructure rebuilding.
- **Reputational:** Severe loss of consumer trust in LastPass as a security provider.
## Indicators of Compromise
- **Network indicators:** Access from unauthorized domestic IP addresses [hxxp://...] (Defanged).
- **File indicators:** Presence of keylogging malware on personal DevOps workstation.
- **Behavioral indicators:** Unusual volume of data egress from S3 backup buckets during non-standard hours.
## Response Actions
- **Containment:** Revoked all compromised credentials and invalidated active sessions.
- **Eradication:** Rebuilt various segments of the development environment and isolated affected cloud storage.
- **Recovery:** Notified affected customers and mandated master password changes for high-risk accounts.
## Lessons Learned
- **Home Security:** The security of a corporate environment is only as strong as the home networks of employees with high-level access.
- **Shared Infrastructure:** Affiliate companies sharing cloud storage (GoTo and LastPass) creates a single point of failure.
- **MFA Limitations:** MFA can be bypassed if the attacker controls the endpoint where the authenticated session resides.
## Recommendations
- **Endpoint Hardening:** Prohibit the use of high-privilege administrative accounts on personal/unmanaged devices.
- **Strict Network Segmentation:** Segregate development and production storage environments.
- **Continuous Monitoring:** Implement behavioral analytics for cloud storage access (e.g., AWS GuardDuty) to alert on large-scale data egress.
- **Zero Trust:** Implement device-posture checks that require the device to be compliant before allowing access to sensitive cloud resources.