LastPass hack caused by an unpatched Plex software on an employee’s PC

The LastPass data breach was caused by the failure to update Plex on the home computer of one of the company updates.

The security breach suffered by LastPass was caused by the failure to update Plex on the home computer of one of its engineers.

Recently, the password management software firm disclosed a “second attack,” a threat actor used data stolen from the August security breach and combined it with information available from a third-party data breach. Then the attackers exploited a flaw in a third-party media software package to target the firm.

LastPass revealed that the home computer of one of its DevOp engineers was hacked as part of a sophisticated cyberattack.

The attackers targeted one of the four DevOps engineers who had access to the decryption keys needed to access the cloud storage service. The hackers installed a keylogger on the DevOp engineer’s computed and captured his master password.

The investigation conducted by the company with the help of the cybersecurity firm Mandiant confirmed the attack on the DevOps engineer’s home computer.

The attackers hacked the employee’s home computer by exploiting a deserialization of untrusted data in Plex Media Server on Windows. The issue, tracked as CVE-2020-5741 (CVSS score: 7.2), can be exploited by a remote, authenticated attacker to execute arbitrary Python code.

“We have recently been made aware of a security vulnerability related to Plex Media Server. This issue allowed an attacker with access to the server administrator’s Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it. This could be done by setting the server data directory to overlap with the content location for a library on which Camera Upload was enabled.” reads the advisory published by Plex. “This issue could not be exploited without first gaining access to the server’s Plex account. This issue has been assigned CVE-2020-5741 3“

The incident demonstrates the importance of patch management, the LastPass employee has never installed security updates provided by the software vendor.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, LastPass)