The LastPass Hack Somehow Gets Worse
Chinese hackers proved themselves to be as prolific and invasive as ever this week with new findings revealing that in February 2022, Beijing-backed hackers compromised the email server of the Association of Southeast Asian Nations, an intergovernmental body of 10 Southeast Asian countries. The security alert, first reported by WIRED, comes as China has escalated its hacking in the region amidst rising tensions.
Meanwhile, with Russia facing economic sanctions over its invasion of Ukraine, the Kremlin has been trying to address gaps in its tech sector. Now, we’ve learned, it’s scrambling to get a home-brewed Android phone off the ground this year. The National Computer Corporation company, a Russian IT giant, says it will somehow produce and sell 100,000 smartphones and tablets by the end of 2023. Though Android is an open-source platform, there are steps Google could take to restrict the license for the new Russian phone that could ultimately force the project to seek a different mobile operating system.
At the Network and Distributed System Security Symposium in San Diego this week, researchers from Ruhr University Bochum and the CISPA Helmholtz Center for Information Security presented findings that popular DJI quadcopters communicate using unencrypted radio signals that can be intercepted to determine where the drones are, as well as the GPS coordinates of their operators. The researchers discovered the exposed communications by reverse engineering DJI’s radio protocol, DroneID.
In the US, a long-awaited national cybersecurity plan from the White House finally debuted on Thursday. In focuses in part on familiar priorities like hardening defenses for critical infrastructure and and expanding efforts to disrupt cybercriminal activity. But the plan also includes a proposal to shift legal liability for vulnerabilities and security failures onto the companies who cause them, like software makers or institutions that don’t make a reasonable effort to protect sensitive data.
If you want to do something good for your cyber hygiene this weekend, we’ve got a roundup of the most pressing software patches to download ASAP. Seriously, go install them now, we’ll wait here.
And there’s more. Each week, we round up the security news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.
In December, the password-manager maker LastPass revealed that an August breach it had disclosed at the end of November was worse than the company originally thought, compromising encrypted copies of some users’ password vaults, on top of other personal information. Now, the company has disclosed a second incident that began in mid-August and allowed attackers to rampage through the company’s cloud storage and exfiltrate sensitive data. Attackers gained such extraordinary access by targeting a specific LastPass employee with deep system privileges
“This was accomplished by targeting [a] DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass wrote in an account of the situation. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”