Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)

§ Context

Assumed environment: target organisation lets engineers run sensitive software on personal devices with no MDM / EDR. AWS keys for backup buckets stored in clear in dotfiles / scripts.

§ Steps

1. 01
   Exploit dated Plex server on home networkInitial Access

   T1190— Exploit Public-Facing Application
2. 02
   Local shell on the dev workstationInitial Access

   T1078— Valid Accounts
3. 03
   Offline crack of master passwordsCredential Access

   T1110— Brute Force
4. 04
   Harvest AWS access keys + secretsCredential Access

   T1552— Unsecured Credentials
5. 05
   Identify privileged engineer (LinkedIn / GitHub)Reconnaissance

   W-RECON-GITHUB-DORK— GitHub / GitLab Dorking
6. 06
   ListObjects on backup bucketCollection

   C-S3-EXFIL— S3 / Blob / GCS Mass Exfil
7. 07
   Bulk download encrypted vault storeInitial Access

   APT-LASTPASS-DEV— Dev-Workstation Backup Exfil (LastPass 2022)

§ References

• T1190Exploit Public-Facing Application
• T1078Valid Accounts
• T1110Brute Force
• T1552Unsecured Credentials

§ Frequently asked

What is the "Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)" attack path?

Attacker compromised a single LastPass DevOps engineer's home machine via outdated Plex Media Server, harvested AWS keys for the encrypted-vault backup bucket, exfiltrated production vault data. It chains 7 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Exploit dated Plex server on home network (T1190) — a initial access primitive. Assumed environment: target organisation lets engineers run sensitive software on personal devices with no MDM / EDR.

What is the final impact of this kill-chain?

The final step lands on Bulk download encrypted vault store (APT-LASTPASS-DEV), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  Secret echoed to public build log → cloud takeover

  A workflow accidentally runs `env` or `set -x` during debugging — the AWS access key is now in public CI logs and indexed by Google Cache / GitHub search.

• Shared techniques2

  Renderer compromise → GPU process → vulnerable kernel driver

  After renderer RCE, talk to the GPU process via IPC. GPU process sends ioctls to a vulnerable graphics driver — full kernel R/W; ring0 from a web page.

• Shared techniques2

  WAF SSRF → IMDS → S3 mass exfil (Capital One 2019)

  A misconfigured ModSecurity rule on a customer-facing app allowed SSRF; SSRF hit EC2 IMDSv1 for the instance role; the role had ListBucket + GetObject on a major customer-data bucket.

• Shared techniques2

  Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

  Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.

• Shared techniques2

  Insider admin panel coercion → mass account takeover (Twitter 2020)

  Identify employees with access to an internal admin panel. SE / coerce one to use the panel to change target accounts' email + 2FA, then take them over.

• Shared techniques2

  Build-system implant → signed supply-chain backdoor (SolarWinds-class)

  Compromise the target vendor's build server. A small implant rewrites a single source file at compile time — every official signed release downstream now ships the backdoor.