Privacy - Wat niemand over je mag weten

Plex en LastPass breaches lijken erg veel op elkaar

26-08-2022, 09:03 door Anoniem, 3 reacties
Mailtje van Lastpass:


We are writing to inform you that we recently detected some unusual activity within portions of the LastPass development environment. We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. We have no evidence that this incident involved any access to customer data or encrypted password vaults. Our products and services are operating normally.

Mailtje van Plex:


Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.


Is dit toeval? Of delen ze beiden hetzelfde ontwikkelplatform?
Reacties (3)
26-08-2022, 11:00 door Erik van Straten
Vermoedelijk gaat het om dezelfde aanvallers, zoals o.a. gedocumenteerd in:

25 aug. https://blog.group-ib.com/0ktapus

15 aug. https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/

15 aug. https://www.silentpush.com/blog/analysis-of-the-twilio-phishing-attack

en mogelijk deze al, 12 juli https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/

In elk geval hebben ze gemeen dat ze bijna alle vormen van MFA (2FA) weten te omzeilen (middels proxies zoals Modlishka, Muraena, CredSniper of Evilginx2).

Het advies van Group-IB is m.i. het verstandigst:
Group-IB recommends the following to mitigate similar attacks:

1) End users should always check, carefully, the URL of the site where you are entering your credentials. This is especially important for users with privileged accounts.

2) Treat all URLs that were received from unknown sources as suspicious. If in doubt, forward them to your security team for analysis.

3) Implement a FIDO2-compliant security key from a vendor like YubiKey for multi-factor authentication, like Cloudflare suggests

4) If you think your credentials might have been compromised, immediately change your password, sign off from all active sessions, and report the incident to your manager and security team.

Helaas wordt het ons, gebruikers, onnodig moeilijk gemaakt - zoals ik gisteren (cynisch) beschreef in https://security.nl/posting/765755.
26-08-2022, 11:33 door Anoniem
Door Erik van Straten: Vermoedelijk gaat het om dezelfde aanvallers, zoals o.a. gedocumenteerd in:

25 aug. https://blog.group-ib.com/0ktapus

15 aug. https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/

15 aug. https://www.silentpush.com/blog/analysis-of-the-twilio-phishing-attack

en mogelijk deze al, 12 juli https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/

In elk geval hebben ze gemeen dat ze bijna alle vormen van MFA (2FA) weten te omzeilen (middels proxies zoals Modlishka, Muraena, CredSniper of Evilginx2).

Het advies van Group-IB is m.i. het verstandigst:
Group-IB recommends the following to mitigate similar attacks:

1) End users should always check, carefully, the URL of the site where you are entering your credentials. This is especially important for users with privileged accounts.

2) Treat all URLs that were received from unknown sources as suspicious. If in doubt, forward them to your security team for analysis.

3) Implement a FIDO2-compliant security key from a vendor like YubiKey for multi-factor authentication, like Cloudflare suggests

4) If you think your credentials might have been compromised, immediately change your password, sign off from all active sessions, and report the incident to your manager and security team.

Helaas wordt het ons, gebruikers, onnodig moeilijk gemaakt - zoals ik gisteren (cynisch) beschreef in https://security.nl/posting/765755.

Dank voor deze toelichting Erik! Je bent een aanwinst op dit forum.
Gr, TS
26-08-2022, 15:32 door Anoniem
Door Anoniem: Is dit toeval? Of delen ze beiden hetzelfde ontwikkelplatform?
Afgaande op je citaten was bij LastPass de ontwikkelomgeving en bij Plex juist de operationele omgeving gecompromitteerd.
Reageren

Deze posting is gelocked. Reageren is niet meer mogelijk.