The huge breach at LastPass was the results of one in every of its engineers failing to replace Plex on their dwelling pc, in what’s a sobering reminder of the hazards of failing to maintain software program up-to-date.
The embattled password administration service final week revealed how unidentified actors leveraged data stolen from an earlier incident that occurred previous to August 12, 2022, together with particulars “obtainable from a third-party information breach and a vulnerability in a third-party media software program bundle to launch a coordinated second assault” between August and October 2022.
The intrusion finally enabled the adversary to steal partially encrypted password vault information and buyer data.
The second assault particularly singled out one of many 4 DevOps engineers, focusing on their dwelling pc with a keylogger malware to acquire the credentials and breach the cloud storage setting.
This, in flip, is claimed to have been made doable by exploiting a virtually three-year-old now-patched flaw in Plex to realize code execution on the engineer’s pc, the streaming media service advised The Hacker Information in a press release.
The vulnerability in query is CVE-2020-5741 (CVSS rating: 7.2), a deserialization flaw impacting Plex Media Server on Home windows that enables a distant, authenticated attacker to execute arbitrary Python code within the context of the present working system person.
“This problem allowed an attacker with entry to the server administrator’s Plex account to add a malicious file by way of the Digital camera Add characteristic and have the media server execute it,” Plex stated in an advisory launched on the time.
Uncover the Newest Malware Evasion Ways and Prevention Methods
Able to bust the 9 most harmful myths about file-based assaults? Be part of our upcoming webinar and turn out to be a hero within the battle in opposition to affected person zero infections and zero-day safety occasions!
The problem, which was found and reported to Plex by Tenable in March 2020, was addressed by Plex in model 1.19.3.2764 launched on Might 7, 2020. The present model of Plex is 1.31.1.6733.
“Sadly, the LastPass worker by no means upgraded their software program to activate the patch,” Plex stated in a press release. “For reference, the model that addressed this exploit was roughly 75 variations in the past.”
