#1 Spot for Defeating Online Exams

feds-link-$150m-cyberheist-to-2022-lastpass-hacks

In September 2023, KrebsOnSecurity revealed insights from cybersecurity experts who determined that a sequence of six-figure cyber thefts involving numerous victims stemmed from criminals deciphering master passwords taken from the password management service LastPass in 2022. A legal document filed this week by U.S. federal investigators looking into a significant $150 million cryptocurrency theft indicated they had arrived at the same conclusion.

Federal Authorities Connect $150 Million Cyber Heist to 2022 LastPass Breaches

On March 6, federal attorneys in northern California announced the confiscation of roughly $24 million in cryptocurrencies that were recovered after a $150 million cyber theft that occurred on Jan. 30, 2024. The legal complaint references the individual victim only as “Victim-1,” but according to blockchain security investigator ZachXBT, the crime was committed against Chris Larsen, co-founder of the cryptocurrency platform Ripple.

ZachXBT was the first to report on the theft, of which approximately $24 million was frozen by the authorities before it could be withdrawn. This week’s move by the government merely allows enforcement agencies to formally take possession of the frozen assets.

However, an important assertion in this seizure document states that the U.S. Secret Service and the FBI concur with the conclusions of the LastPass breach article published in September 2023. That report cited security analysts who indicated they were observing six-figure cryptocurrency thefts multiple times each month, which they believed were primarily due to criminals cracking master passwords for the password vaults previously stolen from LastPass in 2022.

“The Federal Bureau of Investigation has been probing these data breaches, and law enforcement agents involved in this current case have consulted with FBI representatives about their inquiry,” the seizure complaint states, authored by a U.S. Secret Service agent. “From those discussions, law enforcement in this matter learned that the stolen data and passwords stored within several victims’ online password manager accounts were misused to illegally and without consent gain access to the victims’ electronic accounts and pilfer information, cryptocurrency, and other assets.”

The document goes on:

“Based on this investigation, law enforcement possessed probable cause to suspect that the same assailants behind the aforementioned online password manager attack utilized a stolen password maintained in Victim 1’s online password manager account and, without permission, accessed his cryptocurrency wallet/account.”

Collaborating with numerous victims, cybersecurity researchers Nick Bax and Taylor Monahan discovered that none of the six-figure cyber-theft victims appeared to have experienced the types of attacks that typically precede a high-value cryptocurrency theft, such as the compromise of one’s email and/or mobile phone accounts, or SIM-swapping attacks.

They found that all victims shared another characteristic: Each had, at some point, stored their cryptocurrency seed phrase — the secret code that enables access to your cryptocurrency holdings — within the “Secure Notes” section of their LastPass account prior to the 2022 breaches at the company.

Bax and Monahan identified a recurring theme with these thefts: They all exhibited a similar pattern of liquidating funds, swiftly transferring stolen assets to an overwhelming number of drop accounts distributed across various cryptocurrency exchanges.

The government stated that a comparable level of sophistication was evident in the $150 million theft targeting the Ripple co-founder last year.

“The magnitude of a theft and rapid dissipation of funds would have necessitated the involvement of multiple malicious actors and was in line with the breaches of the online password manager and attacks on other victims whose cryptocurrency was appropriated,” the government noted. “Consequently, law enforcement agents suspect that the cryptocurrency purloined from Victim 1 was executed by the same perpetrators who executed the assault on the online password manager, along with cryptocurrency thefts from other similarly situated victims.”

When contacted for a statement, LastPass claimed it has encountered no definitive evidence — from federal investigators or any other sources — that links the cyber thefts in question to the breaches of LastPass.

“Since we first revealed this incident back in 2022, LastPass has collaborated closely with multiple representatives from law enforcement,” LastPass stated in an official response. “So far, our law enforcement partners have not informed us of any conclusive evidence that ties any cryptocurrency thefts to our incident. Meanwhile, we have been heavily investing in upgrading our security protocols and will persist in doing so.”

On August 25, 2022, LastPass CEO Karim Toubba informed users that the company had detected abnormal activity in its software development environment, and that the intruders had appropriated some source code and proprietary LastPass technical information. On Sept. 15, 2022, LastPass announced that an investigation into the August incident concluded that the attacker had not accessed any customer data or password vaults.

However, on Nov. 30, 2022, LastPass alerted customers about another, significantly more severe security incident that the company asserted leveraged data stolen in the August breach. LastPass revealed that criminal hackers had compromised encrypted copies of certain password vaults, along with other personal data.

Experts assert that the breach would have provided thieves “offline” access to encrypted password vaults, theoretically allowing them unlimited time to attempt to decipher some of the weaker master passwords using powerful systems capable of trying millions of password guesses each second.

Researchers identified that many of the cyber theft victims had selected master passwords with relatively low complexity and were among LastPass’s earliest customers. This is because legacy LastPass users were more likely to have master passwords that were safeguarded with far fewer “iterations,” referring to the number of times a password is processed through the company’s encryption routines. Generally, more iterations translate into a longer duration for an offline attacker to crack your master password.

Over the years, LastPass mandated new users to choose longer and more intricate master passwords, and they increased the number of iterations on multiple occasions by considerable margins. However, researchers discovered compelling signs that LastPass never successfully transitioned many of its older customers to the updated password requirements and protections.

Regarding LastPass’s ongoing denials, Bax mentioned that following the initial alert in their 2023 article, he naively hoped individuals would transfer their assets to new cryptocurrency wallets.

“While some did, the continuous thefts highlight how much more needs to be accomplished,” Bax told KrebsOnSecurity. “It’s validating to see the Secret Service and FBI support our findings, but I would prefer witnessing fewer of these hacks in the first place. ZachXBT and SEAL 911 reported yet another surge of thefts as recently as December, indicating that the threat remains very genuine.”

Monahan stated that LastPass still has not notified their customers that their secrets—especially those held in “Secure Notes”—might be at risk.

“It has been two and a half years since LastPass was initially breached [and] hundreds of millions of dollars has been taken from individuals and firms globally,” Monahan remarked. “They could have urged users to change their credentials. They could have prevented millions and millions of dollars from being lost to these threat actors. Instead, they opted to deny that their clients were at risk and shift blame onto the victims instead.”

schooleggsploits

Leave a Reply

Your email address will not be published. Required fields are marked *

Share This