Hybrid work is right here to remain. In response to the 2022 Cisco World Hybrid Work Examine, greater than 90% of respondents will work remotely at the very least half time sooner or later. In lots of organizations, nonetheless, distant employees are left with fewer safety protections than these on the company community, and attackers have taken discover.
One of many largest breaches up to now 12 months was at LastPass, and it concerned an assault on a distant consumer. Whereas our intent is to not sensationalize an organization’s knowledge breach, the assault is a helpful mannequin to check how menace actors are concentrating on distant employees within the wild. This publish will give attention to the ways and strategies utilized by the attacker and the way safety service edge (SSE) can assist you defend your customers from comparable threats.
LastPass breach highlights distant work safety challenges
LastPass launched two main breach disclosures detailing separate incidents involving the identical as-yet-unidentified attacker. The primary notification detailed an incident in August 2022. Whereas this notification lacked particulars on the preliminary assault vector, it mentioned the attacker had compromised a software program engineer’s company laptop computer, which it used to “tailgate” into LastPass company techniques through the company VPN. With this entry, the attacker exfiltrated proprietary firm supply code, a few of which included cleartext embedded credentials and saved digital certificates.
Within the second breach disclosure, LastPass describes a way more impactful compromise of their techniques that resulted within the exfiltration of entry and decryption keys for manufacturing backup techniques, different cloud-based storage, and associated vital database backups. The 2 incidents are a part of a single assault involving the identical menace actor, in line with the breach.
On this case, the attacker particularly focused a senior DevOps engineer who had entry to decryption keys wanted to entry cloud storage companies and sure had different deep privileges. This sort of high-value consumer is commonly topic to focused assaults as a result of they’ve entry to extremely delicate environments as a part of their day-to-day job.
The attacker compromised the engineer’s dwelling laptop by a three-year-old vulnerability in Plex Media Server. The vulnerability, which was patched in model 1.19.3 in 2020, allowed an attacker with entry to the consumer’s Plex account to remotely change the media server’s knowledge listing to overlap with the listing for Digicam Add, a now unsupported characteristic that allowed customers to remotely add recordsdata. With the listing modified, the attacker may add a malicious file that enabled distant Python code execution.
In response to the second breach disclosure, the attacker put in a keylogger on the engineer’s laptop by utilizing this distant code execution exploit. The attacker was then capable of seize the engineer’s grasp password and achieve entry to the worker’s LastPass company vault. From there, the attacker exfiltrated extremely delicate notes that contained decryption keys for numerous key techniques.
Your entire assault kill chain appears like this. Word that I’m going to make a number of assumptions the place particulars of the LastPass breach are sparse or not obtainable. You need to deal with this as a mannequin for a possible assault relatively than a factual recount of what occurred.
- Assumption: when concentrating on LastPass, the attacker recognized high-value workers to focus on that probably had deep entry privileges. Risk actors typically determine these customers by social media websites, equivalent to LinkedIn.
- Assumption: after figuring out a possible goal, the attacker managed to determine the consumer had a Plex account and compromise it. This might have been achieved in a wide range of methods, equivalent to phishing. Plex did disclose a breach in August 2022 that leaked consumer emails, username, and encrypted passwords. It’s potential – although unconfirmed – info from this Plex breach was used to compromise the account.
- With Plex account entry, the attacker was capable of exploit CVE-2020-5741 on the worker’s outdated media server to implant keylogger malware.
- Ultimately the attacker was capable of seize the worker’s grasp password.
- Assumption: the attacker was capable of trick the consumer, permitting them to bypass MFA. One potential approach this might be executed is to attend for a time when the worker was more likely to be authenticating, then sending a reproduction MFA request within the hopes that the consumer would mistake it as authentic.
- As soon as authenticated, the attacker may entry the consumer’s entry credentials and safe notes, which included company decryption keys for numerous companies.
- Then it’s only a matter of accessing techniques, exfiltrating knowledge, and decrypting it the place potential.
For a lot of corporations, distant work safety is a comparatively new problem. There are a lot of extra distant and hybrid employees than there have been only a few years in the past, and assaults concentrating on these customers are a brand new problem for a lot of safety groups. This assault is a uncommon instance of a publicly disclosed breach that focused a distant employee, and it contains sufficient element for us to create a mannequin based mostly on ways and strategies which can be actively in use. By finding out this mannequin, you’ll be able to take away a number of classes that may enable you enhance your safety posture and defend towards comparable assaults.
Safety Providers Edge (SSE) can assist defend distant employees.
One of the crucial vital applied sciences that may enable you defend distant employees is the safety service edge (SSE). In truth, LastPass famous within the disclosure that in response to the breach, they adopted zero belief community entry (ZTNA) and a safe entry companies edge (SASE) structure. SSE is the safety part of SASE, and it contains ZTNA as one among its main functionalities. SSE represents the convergence of a wide range of applied sciences, together with safe internet gateway, cloud entry safety dealer, zero belief community entry, and cloud safety posture administration.
Zero Belief Community Entry (ZTNA)
On this case, ZTNA is especially efficient. Within the first safety incident, the attacker was capable of “tailgate” onto the company VPN through the compromised engineer’s laptop computer, which gave them entry to supply code repositories. Oftentimes, the usage of VPNs creates open, flat community entry, the place as soon as a consumer authenticates, they’ve broad entry to delicate assets. Which means that if an attacker can achieve entry to the company VPN, they’ve intensive attain contained in the community. In different phrases, the blast radius of the assault is bigger.
ZTNA is a part of zero belief structure that gives safe distant entry to a company’s purposes based mostly on outlined entry insurance policies. A key distinction between a VPN and ZTNA is that ZTNA supplies entry solely to particular purposes as a substitute of your entire community, guaranteeing that if an attacker manages to bypass authentication, they will solely entry the goal software and never the whole lot on the community. ZTNA successfully reduces the blast radius of an assault.
Not solely would the usage of ZTNA have restricted the scope of the assault, however it could even have prevented the attacker from accessing any safe techniques. When a consumer authenticates to connect with a ZTNA-protected app, the safety posture of the consumer’s gadget is assessed to make sure it’s protected to attach.
These capabilities would have had been related throughout two essential moments of the assault. Within the first incident, it could have restricted the attacker from gaining broad entry to the company techniques through VPN. Within the second incident, it may need prevented the worker from accessing secured assets from their susceptible dwelling laptop, which might in flip have prevented the attacker from utilizing entry to the machine to infiltrate company techniques.
Information Loss Prevention (DLP)
Transferring past the preliminary assault vector, it’s also necessary to additionally safe the assets that distant employees can entry, by utilizing sturdy safety insurance policies. One such coverage is controlling delicate info at relaxation in cloud companies or in transit from distant employees’ computer systems utilizing Information Loss Prevention (DLP) insurance policies.
As its title implies, knowledge loss prevention, or DLP, goals to stop knowledge exfiltration by figuring out delicate knowledge at relaxation or in movement. Generally, DLP is used to detect unsecured credentials, entry tokens, or personally identifiable info. There are two main forms of DLP: inline DLP, which captures internet site visitors from a consumer’s machine in real-time, decrypting it the place needed, and inspecting it for delicate info based mostly on safety insurance policies; and API-based scanning, which inspects at-rest knowledge in cloud storage companies for delicate info.
Cisco DLP can determine cleartext embedded credentials or different delicate knowledge at-rest in locations they shouldn’t be. Additionally, if an worker makes an attempt to retailer, publish, or in any other case transmit delicate knowledge to restricted or unauthorized locations, inline DLP will determine it and stop the switch. This is able to forestall an attacker from utilizing a compromised consumer machine to exfiltrate this knowledge. On this assault, DLP insurance policies may have prevented cleartext credentials from being saved within the supply code repository or transmitted by the attacker.
Safe Net Gateway (SWG) and DNS Safety
On this assault, exploiting the susceptible Plex media server was a vital motion. If this was on the company community, the corporate’s firewall would have probably prevented this exploit. Nevertheless, as a result of it was a distant consumer’s laptop, there was no such safety. One solution to detect and block this exercise off the company community is by utilizing safe internet gateway (SWG) with a firewall-as-a-service (FWaaS) and intrusion prevention system (IPS). As a result of the exploit used a recognized vulnerability, a firewall with an intrusion prevention system (IPS) would have been capable of block any makes an attempt to take advantage of the vulnerability.
As well as, most malware – such because the keylogger on this occasion – contain speaking with a command-and-control server over DNS. A DNS safety answer can detect command-and-control exercise and block it on the DNS stage, no matter whether or not the consumer is distant or not. Even when the attacker managed to bypass protections and set up the malware, it could not have been capable of obtain directions from the command-and-control servers.
Public cloud menace detection
When assaults influence public cloud environments – such because the Amazon S3 buckets that have been focused within the LastPass assault – menace exercise could be detected utilizing a public cloud menace detection platform, equivalent to Cisco Safe Cloud Analytics. These options eat native logs from public cloud environments to determine anomalous and malicious exercise, equivalent to a consumer logging in from two completely different places in a brief time period or a consumer downloading an unusually great amount of knowledge from the setting, each of which occurred on this assault.
Whereas this isn’t instantly associated to defending distant employees, it does defend the useful resource the attacker is concentrating on. You will need to enact safety controls throughout your entire assault floor, together with consumer machines and infrastructure.
Stopping different preliminary assault vectors
Whereas within the case of the second LastPass breach, the attacker used a susceptible media server to take over the focused laptop computer, there’s all kinds of potential assault vectors that would permit an attacker to achieve preliminary entry. It’s price discussing a number of right here.
Phishing is a typical assault vector, and extra broadly, the usage of stolen credentials usually is concerned in most breaches, in line with the 2022 Verizon Information Breach Investigations Report. DNS safety and a SWG can reduce phishing by figuring out and blocking malicious web sites. As well as, multi-factor authentication with pin code verification can forestall a consumer from erroneously approving a malicious MFA request.
For extremely focused workers – equivalent to these with deep entry privileges – distant browser isolation (RBI) can forestall an attacker from utilizing browser-based exploits. RBI supplies an added layer of safety towards browser-based safety threats for high-risk customers. It creates a surrogate browser within the cloud that visits an internet site on behalf of the consumer and renders all content material safely. This prevents browser-based threats from exploiting the top consumer’s browser.
These safety measures work whether or not the consumer is distant or accessing the community from a department workplace or company headquarters.
Enhance safety on your distant employees
Hybrid work is a typical characteristic of in the present day’s workplaces, and fashionable safety groups want the suitable expertise and processes in place to guard distant employees. The LastPass breach supplies us with a real-world mannequin of how attackers can goal high-value customers at dwelling to achieve entry to delicate company assets.
Safety Service Edge (SSE) options present organizations with safe connectivity for his or her hybrid workforce as they entry the web, cloud companies, and purposes, whereas defending company assets from cyberattacks and delicate knowledge loss. Cisco SSE options make the most of resilient cloud companies that ship industry-leading safety efficacy and efficiency. A number of third events usually validate the worth, equivalent to Forrester analysis displaying that Cisco SSE prospects realized a 231% in ROI in three years. With a number of deployment choices, Cisco helps organizations enhance safety at their tempo, easily transitioning from on-premises safety to cloud safety, increasing to SSE and optionally, evolving towards a SASE structure.
Study extra about how Cisco Safe Service Edge can safety your distant and hybrid customers.
We’d love to listen to what you assume. Ask a Query, Remark Under, and Keep Linked with Cisco Safe on social!
Cisco Safe Social Channels
Share:
