Frequent readers of this blog know that I always advocate installing the latest software updates for your operating system and application as soon as possible. That’s because threat actors will often look at software updates and reverse engineer the flaws that they fix so that they can go after those who didn’t install those updates. Or they may fix an issue that threat actors are exploiting right now. Either way, I strongly believe that you can’t go wrong installing software updates. So in short, what I’m saying is that you increase your chances of getting pwned by not installing software updates. And since a lot of us work from home, your employer could get pwned as well.
And apparently, that is what happened to LastPass according to PC Magazine when they got pwned in August:
This week, LastPass revealed the hacker pulled off the breach by installing malware on an employee’s home computer, enabling them to capture keystrokes on the machine. But one lingering question was how the malware was delivered.
At the time, LastPass said only that the hacker exploited “a vulnerable third-party media software package,” without naming the vendor or the exact flaw. That led many to wonder if the hacker had abused a currently unknown vulnerability, which could put many other users in harm’s way.
PCMag has since learned the hacker targeted the Plex Media Server software to load the malware on the LastPass employee’s home computer. But interestingly, the exploited flaw was nothing new. According to Plex, the vulnerability is nearly three years old and was patched long ago.
Plex told PCMag the vulnerability is CVE-2020-5741, which the company publicly disclosed to users in May 2020. “An attacker who already had admin access to a Plex Media Server could abuse the Camera Upload feature to make the server execute malicious code,” the company said back then.
“At the time, as noted in that post, an updated version of the Plex Media Server was made available to all (7-MAY-2020),” a spokesperson for Plex said. “Unfortunately, the LastPass employee never upgraded their software to activate the patch. For reference, the version that addressed this exploit was roughly 75 versions ago.”
So the employee didn’t stay up to date in terms of their Plex install, and now the employee and the employer have been pwned. If I were the employer, in this case LastPass, I’d be not only mad but I would fire the person. Because while LastPass was not at fault here, trust in the company is non-existent because of the previous instances of being pwned by threat actors combined with this. And this employee is at least partial fault for that because what is clear here is that this did not need to happen.
And it also makes the perfect argument for employer supplied laptops if people work from home. Those laptops of course need to be locked down so employees cannot install anything that they want, and they have to be encrypted to protect sensitive data. Preferably using self encrypting drives which are commonplace today. And multi-factor authentication needs to be present as well so that it makes it extremely hard for a threat actor to break into the laptop and steal data. Because if you control the platforms that your employees use, and you make them as tough to hack as possible, it’s less likely that bad things will happen to you.
Like this:
Like Loading...
Related
This entry was posted on March 5, 2023 at 8:07 am and is filed under Commentary with tags LastPass. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
LastPass Was Hacked Again Because An Employee Didn’t Do A Software Update
Frequent readers of this blog know that I always advocate installing the latest software updates for your operating system and application as soon as possible. That’s because threat actors will often look at software updates and reverse engineer the flaws that they fix so that they can go after those who didn’t install those updates. Or they may fix an issue that threat actors are exploiting right now. Either way, I strongly believe that you can’t go wrong installing software updates. So in short, what I’m saying is that you increase your chances of getting pwned by not installing software updates. And since a lot of us work from home, your employer could get pwned as well.
And apparently, that is what happened to LastPass according to PC Magazine when they got pwned in August:
This week, LastPass revealed the hacker pulled off the breach by installing malware on an employee’s home computer, enabling them to capture keystrokes on the machine. But one lingering question was how the malware was delivered.
At the time, LastPass said only that the hacker exploited “a vulnerable third-party media software package,” without naming the vendor or the exact flaw. That led many to wonder if the hacker had abused a currently unknown vulnerability, which could put many other users in harm’s way.
PCMag has since learned the hacker targeted the Plex Media Server software to load the malware on the LastPass employee’s home computer. But interestingly, the exploited flaw was nothing new. According to Plex, the vulnerability is nearly three years old and was patched long ago.
Plex told PCMag the vulnerability is CVE-2020-5741, which the company publicly disclosed to users in May 2020. “An attacker who already had admin access to a Plex Media Server could abuse the Camera Upload feature to make the server execute malicious code,” the company said back then.
“At the time, as noted in that post, an updated version of the Plex Media Server was made available to all (7-MAY-2020),” a spokesperson for Plex said. “Unfortunately, the LastPass employee never upgraded their software to activate the patch. For reference, the version that addressed this exploit was roughly 75 versions ago.”
So the employee didn’t stay up to date in terms of their Plex install, and now the employee and the employer have been pwned. If I were the employer, in this case LastPass, I’d be not only mad but I would fire the person. Because while LastPass was not at fault here, trust in the company is non-existent because of the previous instances of being pwned by threat actors combined with this. And this employee is at least partial fault for that because what is clear here is that this did not need to happen.
And it also makes the perfect argument for employer supplied laptops if people work from home. Those laptops of course need to be locked down so employees cannot install anything that they want, and they have to be encrypted to protect sensitive data. Preferably using self encrypting drives which are commonplace today. And multi-factor authentication needs to be present as well so that it makes it extremely hard for a threat actor to break into the laptop and steal data. Because if you control the platforms that your employees use, and you make them as tough to hack as possible, it’s less likely that bad things will happen to you.
Share this:
Like this:
Related
This entry was posted on March 5, 2023 at 8:07 am and is filed under Commentary with tags LastPass. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.