LastPass Employee Could've Prevented Hack With a Software Update
It turns out the massive breach at LastPass could have been stopped, or at least delayed, if a company employee had updated a piece of software on their home computer.
This week, LastPass revealed the hacker pulled off the breach by installing malware on an employee’s home computer, enabling them to capture keystrokes on the machine. But one lingering question was how the malware was delivered.
At the time, LastPass said(Opens in a new window) only that the hacker exploited “a vulnerable third-party media software package,” without naming the vendor or the exact flaw. That led many to wonder if the hacker had abused a currently unknown vulnerability, which could put many other users in harm’s way.
PCMag has since learned the hacker targeted the Plex Media Server software to load the malware on the LastPass employee's home computer. But interestingly, the exploited flaw was nothing new. According to Plex, the vulnerability is nearly three years old and was patched long ago.
Plex told PCMag the vulnerability is CVE-2020-5741(Opens in a new window), which the company publicly disclosed to users in May 2020. “An attacker who already had admin access to a Plex Media Server could abuse the Camera Upload feature to make the server execute malicious code,” the company said back then.
“At the time, as noted in that post, an updated version of the Plex Media Server was made available to all (7-MAY-2020),” a spokesperson for Plex said. “Unfortunately, the LastPass employee never upgraded their software to activate the patch. For reference, the version that addressed this exploit was roughly 75 versions ago.”
LastPass declined to comment. But earlier this week, the company confirmed "the threat actor exploited a vulnerability
Read more on pcmag.com
