LastPass hack caused by an unpatched Plex software on an employee’s PC

The LastPass data breach was caused by the failure to update Plex on the home computer of one of the company updates.

The security breach suffered by LastPass was caused by the failure to update Plex on the home computer of one of its engineers.

Recently, the password management software firm disclosed a “second attack,” a threat actor used data stolen from the August security breach and combined it with information available from a third-party data breach. Then the attackers exploited a flaw in a third-party media software package to target the firm.

LastPass revealed that the home computer of one of its DevOp engineers was hacked as part of a sophisticated cyberattack.

The attackers targeted one of the four DevOps engineers who had access to the decryption keys needed to access the cloud storage service. The hackers installed a keylogger on the DevOp engineer’s computed and captured his master password.

The investigation conducted by the company with the help of the cybersecurity firm Mandiant confirmed the attack on the DevOps engineer’s home computer.

The attackers hacked the employee’s home computer by exploiting a deserialization of untrusted data in Plex Media Server on Windows. The issue, tracked as CVE-2020-5741 (CVSS score: 7.2), can be exploited by a remote, authenticated attacker to execute arbitrary Python code.

“We have recently been made aware of a security vulnerability related to Plex Media Server. This issue allowed an attacker with access to the server administrator’s Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it. This could be done by setting the server data directory to overlap with the content location for a library on which Camera Upload was enabled.” reads the advisory published by Plex. “This issue could not be exploited without first gaining access to the server’s Plex account. This issue has been assigned CVE-2020-5741 3“

The incident demonstrates the importance of patch management, the LastPass employee has never installed security updates provided by the software vendor.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, LastPass)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.