My best assumption is the infected device got them past any MFA and the keylogged password got them the decryption they needed to take what they took. Ultimately, it’s not clear what type of MFA, and where it was used, and we shouldn’t have any expectation that LastPass will share that info - they should have, and would have if they were going to by now. This actions are usually machine-to-machine so instead of MFA you use keys that no one should ever have, except they were able to get keys.
Once they had this information it sounded like it was AWS alerts that tipped them off as they tried actions that IAM roles weren’t authorized to perform. I’m not sure how they extracted everything they did, but it sounds like they got past any MFA via the infected DevOps computer, and ended up with both vaults and keys. It’s not been made very clear, but that quote is out of the ars technica article.
0 kommentar(er)
