Profero logo
Company
Resources
BlogGithub
CareersTrust Portal
Under Attack?Get Started
Blog

LastPass Breach - and your SSO

By
February 28, 2023
Share this post

https://profero.io/blog/lastpass-breach-and-your-sso

see our previous blog post

On Feb 28th, 2023, new information disclosed by LastPass revealed that users of their organizational product relying on SSO are also at risk.

TL;DR:

  • in order to compromise your vault protected by SSO the attacker needs access to a single employee in your organization
  • if you did not rotate your passwords or followed our other recommendations, now is the time
  • it looks like the only way to do proper key rotation is to “re-federate” your organization, namely, rebuild your SSO data

Background

The attackers want access to the encrypted values stored inside the organizational vaults. To achieve that, they would need to succeed in the following steps:

  1. gain access to the vaults - DONE
  2. copy the vaults for offline access - DONE
  3. get the K2 values - DONE
  4. get the K1 value -?
  5. gain access to the master password encrypting the vault
  6. the master password is protected by splitting the secret between two separate keys
  7. K1 is a company-wide secret
  8. K2 is the user-generated secret, and it is stored at the LastPass backend
  9. matching a specific vault with a specific master password

The attacker’s goal was to have both K1 and K2, as this would provide them with the master password and the ability to decrypt organizational vaults.

To get the master password, the attacker would need to perform a hash on their values:

masterPassword := Sha256(K1 xor K2)

K2

K2 is stored at LastPass and fetched via an API request using an id_token signed by your SSO provider.

The attackers compromised one of the LastPass DevOps team’s home environments, which allowed them to extract an important set of secret keys named K2.

The attackers have these sets of values now

K1

K1 is the company-wide secret (not per user) and is stored in the JWT of the SSO. This means that whenever an organization member performs SSO authentication, he gets the K1 value in the JWT used for authentication.

This K1 value is the same for all members of the organization

The attacker now needs to target any employee of that organization and steal his K1 value. as this value does not change, it does not matter which employee to capture it from; they only need to succeed once.

Matching Vaults to Organizations

The last piece is to be able to match a vault (which they already stole) and the K2 value (which they now have) and to target any user that belongs to the same organization as the vault.

You would assume that matching these would be problematic - but the organization name and other data are not encrypted in the vault.

Recommendations

At this time, it looks like the only way to rotate K1 values is to “re-federate” your organization with your provider which is undoubtedly a challenging process.

Links

  • https://support.lastpass.com/help/incident-2-additional-details-of-the-attack
  • https://medium.com/@chaim_sanders/its-all-bad-news-an-update-on-how-the-lastpass-breach-affects-lastpass-sso-9b4fa64466f6

‍

Share this post

Related posts

Read related insights

View all

AtomicStealer Spreading via Fake Apple Support Websites

Uncovering AtomicStealer campaign using a fake Apple Support website designed to trick users into running a malicious bash command, infecting their machine.

Read Now

The $5 Million Letter: When Physical Mail Becomes Digital Extortion

How sophisticated criminals are using old-school tactics and psychological warfare to extort businesses without ever touching their systems

Read Now

New Attack Vector - AI - Induced Destruction

The New Attack Vector No One Saw Coming, how "helpful" AI assistants are accidentally destroying production systems - and what we're doing about it.

Read Now
View all
Profero logo
Subscribe
By subscribing you agree to with our Privacy Policy and provide consent to receive updates from our company.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Solution
Get StartedUnder Attack?
About
CompanyCareers
Resources
BlogGithubTrust Portal
Contact
X/Twitter
LinkedIn
© 2024 Profero. All rights reserved.
Privacy PolicyTerms of Service
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
ManageDenyAccept
Privacy Preferences
Essential cookies
Required
Marketing cookies
Personalization cookies
Analytics cookies
Reject all cookiesAllow all cookiesSave preferences