The Great Tariff War of 2025 between the US and China appears to have hit a natural – if unsatisfying – climax, with both parties having skewered the other with 125%+ tariffs, and are now staring at each other, waiting to see which will bleed out first.

Despite this, a quote cited in an article from a few weeks ago has been rattling around in the back of my head, and as overblown as it is – I can’t help but wonder if this is or was a genuine possibility that pundits in our industry are wringing their hands over:

“China will retaliate with systemic cyber attacks as tensions simmer over,” cybersecurity advisor Tom Kellermann told The Register. “The typhoon campaigns have given them a robust foothold within critical infrastructure that will be used to launch destructive attacks. Trade wars were a historical instrument of soft power. Cyber is and will be the modern instrument of choice.”

Turning off water supplies, sewage, or telco networks in retaliation for an (admittedly significant) increase in cost for exports to the US? That seems like a bit much, doesn’t it?

While that quote is alarmist to say the least, I can see this being a legitimate concern for any CEO who’s already worried about the economic impact of this trade war – let alone the Cyber element.

Cyber effects and the norms surrounding them aren’t well understood outside of – let alone within – cyber security, and as practitioners it’ll often be on us to provide that context in cases like these.

So with that said, let’s dissect this, shall we?

Question #1 – Can they do it?

---

In a nutshell – yes.

Two well-documented groups with recently observed – and possibly ongoing – access to US Critical Infrastructure are Volt Typhoon, and Salt Typhoon.

Volt Typhoon was identified as a Chinese government-backed hacking group that maintained access to America’s critical infrastructure – namely systems in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors – since at least 2021 with the perceived goal of pre-positioning for destructive cyberattacks against these targets.

Salt Typhoon is another highly skilled group that’s been active for at least five years. The group gained infamy after being discovered to have compromised major telcos including Verizon, AT&T, T-Mobile and others; as well as the U.S. Treasury Department. These attacks against Verizon and AT&T are believed to have been carried out as early as 2022, and were only recently uncovered.

It’s also worth noting that Salt Typhoon were found to have compromised the private communications of targeted individuals, including the now-President Donald Trump and his Vice President J.D. Vance. It’s already well known that China has significant Cyber capability, but this is a tangible example of their ability – and appetite – to use it to target whoever they see fit.

Oh, and keep in mind – these are just two of China’s more notorious groups as of late. They also have a mature – albeit disorganised – industry of freelance threat actors they can call on, who “jockey for lucrative government contracts by pledgingevermore devastating and comprehensive access to sensitive information deemed useful by Chinese police, military and intelligence agencies”

Question #2 – Would they do it? How would this even work?

---

Given that “Cyber” is such a nebulous term that can take many forms and achieve a wide range of impacts, before we can assess the likelihood of it being used – we first need to understand how it could be used.

There are a few noteworthy possibilities to consider here:

Counterintelligence and Espionage

Salt Typhoon’s campaigns have focused on compromising telecommunications networks to collect sensitive data, including – as we mentioned above – that of the current US President and Vice President. If the Signalgate escapade is anything to go by – this may be easier than you’d think, and this level of access would provide China with strategic advantages during trade negotiations.

Expressing Displeasure and Sending Signals

Some have suggested that China could feasibly conduct intrusions with the intent of getting caught – by utilising older tools with a higher risk of detection, for example – to signal their expiring patience in the trade war with the U.S. It might seem like something out of a cheesy Political Thriller, but these “subtle signals” can be a form of communication in a broader “dialogue”.

Applying Pressure in Negotiations

China might use cyberattacks to demonstrate its capabilities and pressure the U.S. to cooperate and negotiate trade.

“China’s methods demonstrate that either the U.S. can cooperate and negotiate trade, or it can impose tariffs and cut legitimate intellectual property transfer and instead be pillaged. The message is essentially, ‘We will get your data no matter what. Do you want to make money off of it or not?’” – Ross Rustici, Cybereason’s Senior Director for Intelligence Services

Legislative Retaliation for Tariffs and Trade Actions

Beijing has clearly signaled that it won’t take this lying down. While they’ve announced tariffs on US imports, some experts believe China could also retaliate through “backdoor” methods using its cybersecurity laws. For example, interpreting the definitions of data localisation, or the concepts of “important data” and “critical information infrastructure” in such a way as to bog American companies in bureaucracy while seeking licenses and approvals to operate in their market.

Question #3 – So, would they actually follow through?

---

No.

…

Well, sort of. 🤔

To answer it in the context of that original quote – that they would choose to weaponise their “robust foothold within critical infrastructure” in the destructive capacity it’s believed to be intended for – not a chance.

There’s a saying in Chinese – “不要用大炮打蚊子” – which roughly translates to “Don’t use a cannon to kill a mosquito.” It’s essentially saying “Don’t use excessive or complicated measures when a simple solution is available.”

Access to US Critical Infrastructure isn’t something China would leverage to “send a message” in a trade dispute, especially when you consider the likelihood that this is being held “in reserve for a Taiwan crisis”, or something of a similar magnitude. The proverbial “cannon” would likely be better used elsewhere.

More conventional forms of retaliation, such as tariffs, export restrictions on critical minerals, or economic pressure on US allies, are more likely to be employed to solve the problem – and already have been as part of the tit-for-tat.

---

💡

Speaking of which – reports emerged late last week that Chinese officials had claimed credit for widespread attacks on US infrastructure – including “ports, water utilities, airports and other targets” – as a “warning to the U.S. about Taiwan.”

While this could be interpreted as proof that China would leverage their access to US Critical Infrastructure as a tool in diplomatic disputes, what it really shows is that weaponising this access is simply not necessary for the goals they want to achieve.

To spell it out a bit more clearly:

More Tub-Thumping than a Warning Shot

The tacit warning here is “Hey, pal, we have and will keep pre-positioning in US Critical Infrastructure if you keep insisting Taiwan is an independent country,” not “We’ll pull the trigger and weaponise those accesses if you don’t stop.”

That particular threat isn’t necessary to make their point, and again – that’s something you’d save for a significant crisis, not to apply pressure in a diplomatic discussion.

The Diplomats Who Cried Wolf

China have a less-than-credible history when it comes to messaging on cyber attacks, and frequently deflect attribution as the result of an “overactive imagination” on the US’ part – including calling the Volt Typhoon campaigns a US-fabricated hoax.

My point being – they’ll say whatever is most politically useful for them at the time, regardless of the evidence or facts presented.

* Old Man Shakes Fist At Cloud *

The “indirect and somewhat ambiguous” admission in a secret, closed-doors meeting is an example of what we called out earlier – their use of cyber attacks to “send signals” and exert pressure in negotiations.

Diplomacy – especially for the Chinese Government – is more about posturing than provocation.

---

That said, Cyber Espionage is a well-worn page in China’s playbook, and it’ll surprise no one to see the likes of Salt Typhoon, for example, being called on to recreate their previous successes by targeting telcos and the communications of America’s leaders. “Knowing is half the battle”, as they say.

An increased tempo of offensive Chinese-backed or enabled Cyber Operations is almost a given in the midst of an escalating trade war that seemingly has come to an uncomfortable stalemate, and the US must be prepared for it.

It’s a good thing the US has a skilled workforce of Cyber Defenders (Oh wait, no they’re shaving CISA’s workforce by 40%), a panel of experts investigating the Salt Typhoon breaches (nope, that was disbanded soon after Trump came into office), and a team of Threat Hunters ready to go (well, what’s left of them).

 

Recent developments in the United States paint a concerning picture of a nation whose leadership in the domain of cybersecurity has been effectively eroded by the short-sighted and vindictive agenda of their newly elected President.

As with his ill-advised imposition of tariffs in trade or the impulsive calls to annex Greenland (for what, we’re still not sure), a series of actions within the cyber realm suggests a shift away from strategic, expert-driven policy towards decisions potentially swayed by political expediency and personal grievances.

This erosion of stable leadership and expertise will have significant implications for the global cyber threat landscape, creating vulnerabilities that nation-state and cyber criminal adversaries alike will undoubtedly seek to exploit.

Let’s see where things have unraveled.

Deprioritisation of the Russia Threat

---

One of the first indications of the Trump Administration’s “alternative” approach to Cyber Security was in the alleged instruction to US cyber agencies to stand down on operations targeting Russian entities.

Reports surfaced suggesting that analysts at CISA were verbally told not to follow or report on Russian threats, and that Russia-related projects were being “nixed“. While CISA publicly refuted these claims, stating that there had been no change in their posture against all cyber threats, including Russia – the proximity in timing between these allegations and a reported pause in offensive cyber operations against Russia by US Cyber Command raised serious questions.

Senator Chuck Schumer criticized the Trump administration for potentially giving Russia a “free pass” amidst ongoing cyber operations and ransomware attacks against US infrastructure.

The US’ softening of its stance on Russian cyber activities – whether due to a desire for improved relations or a shift in focus towards other perceived threats – it is being interpreted as a weakening of resolve against a known adversary with a history of malicious cyber activity.

💡This perceived hesitancy could embolden Russian cyber actors – both cyber crime and nation-state – and undermine the global effort to deter their destabilising actions.

Dismantling Oversight & Accountability Mechanisms

---

The next questionable (to say the least) decision by this Administration was the dismantling of the Cyber Safety Review Board (CSRB), which was at the time in the middle of investigating the wide-ranging breach of U.S. and global telcos by the Chinese-linked group Salt Typhoon.

Senator Ron Wyden criticized the move as a “massive gift to the Chinese spies who targeted top political figures” and suggested it looked like “payback for Microsoft’s million dollar gift to Donald Trump’s inaugural committee”.

This is a massive gift to the Chinese spies who targeted top political figures. Killing the board that pressured Microsoft to up its cybersecurity looks for all the world like payback for Microsoft’s million dollar gift to Donald Trump’s inaugural committee.

— Senator Ron Wyden (@wyden.senate.gov) 2025-01-21T22:32:09.965Z

Despite initially being met with scepticism when it was first announced, the CSRB had since proved its value in providing independent and objective review of key Cyber Security incidents.

Anyone in the industry at the time will remember its scathing report on a “cascade of security failures” at Microsoft which enabled the China-aligned Storm-0558 Threat Group to compromise the systems and emails of multiple senior US leaders and Government Departments. The report led to significant commitments by Microsoft leadership to improve their security practices and culture, demonstrating the CSRB’s ability to affect change.

The abrupt termination of the CSRB, before the completion of its report on a significant nation-state attack, brings into question the administration’s commitment to independent oversight and understanding of the need to learn from past incidents.

💡By sidelining a body designed to provide impartial analysis and drive improvements in cybersecurity, the US risks losing valuable insights and hindering its ability to affect change or effectively respond to future threats.

Firing Skilled Cyber Defenders in Tense Times

---

The arbitrary staff cuts of skilled analysts in key cyber agencies like CISA and the NSA represent another critical point of failure. Reports indicate potential cuts of nearly 40 percent of CISA’s workforce, and the Trump administration has been engaged in mass firings of probationary federal employees.

Former NSA cybersecurity director Rob Joyce warned Congress that these cuts would be “devastating” for US cybersecurity operations, particularly in countering threats from China. The elimination of threat-hunting teams and the fragmentation of personnel responding to critical infrastructure threats weakens the US’ cyber defenses at a time when they are under constant attack.

The potential loss of experienced cybersecurity talent to the private sector due to uncertainty further exacerbates this issue.

“Firing cyber personnel at CISA harms national security on a daily basis — this goes well beyond disruption and is actually causing destabilization” -US Navy Rear Admiral Mark Montgomery.

💡Gutting the workforce responsible for defending national infrastructure and sharing critical threat intelligence with the private sector is foolhardy, to say the least. It undermines the foundational elements of a resilient cybersecurity posture, and opens an already highly-targeted nation up to a further cyber attacks by emboldened adversaries, which they’re now ill-equipped to respond to

Personal Insecurities Trump Global Cyber Security

---

The firing of the Director of NSA and Cyber Command, General Timothy Haugh, and the Deputy Director without clear and justifiable cause injects further instability into the US cyber leadership structure.

This decision, occurring shortly after the dismissal of other senior defense officials, has sparked concerns about political interference in traditionally nonpartisan intelligence roles. It’s been widely reported that far-right conspiracy theorist Laura Loomer met with President Trump prior to the announcement being made, and advocated for the removal of Haugh who she saw as “disloyal” to the President.

Loomer later ranted on Twitter that Haugh was “HAND PICKED by General Milley” (a Trump critic) and Wendy Noble – the Deputy Director of NSA who was fired alongside Haugh – was an “Obama loving protege” and a “Trump hater”.

Senator Mark Warner expressed deep concern, questioning how firing a “nonpartisan, experienced leader” amidst unprecedented cyber threats – while failing to hold his team accountable for leaking sensitive military information in the Signalgate scandal – makes Americans safer.

💡The abrupt removal of seasoned leaders with deep knowledge of the complex cyber and signals intelligence landscape – seemingly at the suggestion of a self-described “pro-White nationalist” – is indicative of a government that prioritises personal insecurities over global insecurities.

Loyalty Over Integrity

---

Finally, the recent revocation of security clearances for all employees of security company SentinelOne as part of a vindictive attack on former CISA head Chris Krebs underscores a deeply concerning trend.

The White House memorandum accuses Krebs of being a “bad-faith actor who weaponized and abused” his authority at CISA by censoring speech and promoting a partisan agenda related to the 2020 election and COVID-19. As a punitive measure against Krebs, who now works at cyber security vendor SentinelOne, the administration has suspended the security clearances of both him and his current colleagues pending a review.

This action, described as “unprecedented and punitive”, demonstrates a willingness to use government authority to target individuals and entities based on perceived disloyalty, regardless of the potential impact on national security.

SentinelOne, a cybersecurity company that partners with the US government, could see its ability to collaborate and secure government systems hampered by this sweeping revocation.

💡This episode starkly illustrates how personal grievances and the perceived need for retribution can override rational decision-making, potentially weakening the broader cybersecurity ecosystem

---

The US, once a perceived leader in global cybersecurity, appears to struggling – and failing – to grapple with internal instability, resulting in a shift in priorities that have diminished its capacity and reliability in addressing the escalating cyber threat landscape.

Reduced engagement against adversaries like Russia could embolden their malicious activities.

The sidelining of independent review boards hinders the ability to learn and adapt.

Staff cuts weaken the front lines of cyber defense.

Politically motivated leadership changes erode trust and expertise.

And the weaponization of security clearances against private sector entities can stifle collaboration and innovation.

In a world where cyberattacks transcend borders and can cripple critical infrastructure, a strong and dependable leadership – which has historically been embodied by the US – is paramount. The recent trajectory, however, suggests a concerning vulnerability: that strategic imperatives can – and are – being overshadowed by political agendas and personal vendettas.

The age of US leadership in cybersecurity is over – at least for the term of this administration. Time will tell if the damage caused (and yet to come) can be reversed by future administrations, but for now – as in the realms of Defence and Commerce – the world will have to redefine how it operates in the Cyber sphere without the US to rally around.

---

---

Cryptocurrency exchange operator Coinbase has revealed it responded to an incident in early February where an employee had their credentials compromised, but thankfully resisted an attempt by the attacker to socially engineer their way past the MFA protections they had in place.

Coinbase have pointed to technical overlaps with the 0ktapus campaign which took place last year and appeared to target customers of the identity provider Okta. Nearly 10,000 accounts in over 130 organisations were compromised through the campaign, which included techniques eerily similar to what was employed in this attack.

Significant Overlap in TTPs

The 0ktapus campaign marked the beginning of activity attributed to a new threat group that is now tracked as UNC3944 (Mandiant) or Scattered Spider (CrowdStrike).

While their activity has since been reported on mainly due to their experimentation with the bring-your-own-vulnerable-driver (BYOVD) technique and abuse of the Windows Hardware Compatibility Program, the attempted attack on Coinbase marks a return to their tried and true TTPs that earned them their current notoreity.

SMS Phishing

The 2022 attack on cloud service provider Twilio – as with many other victims – began with malicious links being delivered via SMS, direct to employees:

The links redirected to a spoofed sign-in page for Twilio employees – exactly the same as appears to have occurred in the attack on Coinbase:

SMS Phishing is particularly useful as – when delivered to the phone of an employee which isn’t enrolled in or protected by a Mobile Device Management (MDM) solution – it circumvents traditional Phishing mitigations in place on corporate networks.

---

Bypassing MFA

UNC3944 were noted to have directly called employees to understand the organisation’s Authentication flow and spammed them with MFA prompts (MFA Fatigue) in an attempt to circumvent MFA protections during the 0ktapus campaign. Moreover, Group-IB found that at least 5,441 MFA codes were stolen throughout their long-running campaign.

In this instance, they opted to attempt to socially engineer the Coinbase employee into helping them bypass MFA by calling them and purporting to be a member of the IT team, after having earlier stolen their credentials via the SMS Phishing lure.

On this, Coinbase have recommended being wary of incoming phone calls or text messages from the following providers:

• Google Voice
• Skype
• Vonage/Nexmo
• Bandwidth[.]com

Use of lookalike domains

Coinbase also warned that the actors behind the attack might register and use domains which resemble the company’s trusted services such as sso-<companyName>.com or login.<companyName>-sso.com.

The screenshot of the spoofed Coinbase login page we shared above, for example, was served up via the domain sso-cb[.]com.

This exact technique was used extensively during the 0ktapus campaign, and was adapted to match either the organisation being targeted or the provider they were attempting to masquerade as.

---

Additional Takeaways

Coinbase have generously shared a list of specific TTPs that stood out from this attack. The full list can be found in their disclosure, but at a high level and in addition to what’s mentioned above, Defenders should watch out for:

1. Unauthorised, successful/attempted downloads of the AnyDesk (anydesk[.]com) or ISL Online (islonline[.]com) remote desktop viewing software;
2. Attempts to access the organisation from a 3rd-party VPN provider, specifically Mullvad VPN – which was similarly called out by Okta as a constant within the 0ktapus campaign of 2022;
3. Unexpected attempts to install the EditThisCookie browser extension;
4. Use of unapproved text/file-sharing services such as riseup[.]net;
5. Attempts to enumerate customer support or employee directory applications.

Growing sophistication

UNC3944 is a highly capable threat group which has continued to experiment with new techniques in the past year, in an expansion of the tradecraft which proved so successful in the 0ktapus campaign of 2022.

The combination of their demonstrated skill – not just in circumventing MFA protections to gain initial access, but through leveraging signed and vulnerable drivers to evade EDRs – makes them a threat that all organisations should take note of and prepare to defend against.

---

Appendix A: Mitigating MFA Bypasses

This attack has reinforced how simple phone-based social engineering is used to coerce users into approving MFA prompts; and while MFA fatigue wasn’t applied in this instance – it’s a known part of UNC3944’s toolkit, and has worked in the past to compromise the likes of Cisco, Microsoft, and Uber.

In preparation for this threat, here are a few suggestions on how to mitigate it:

• Enable number matching for Azure AD MFA prompts, and give them context on where the login attempt is coming from so they can judge if it’s a dropped VPN trying to re-authenticate, or a hacker in Argentina trying to mess with them. These measures, combined, can help mitigate MFA fatigue and social engineering attempts;
• Implement layered Conditional Access Policies, in addition to MFA. E.g. user must be on an MDM-enrolled device with EDR installed; connected to the corporate VPN, and have approved a number-matching MFA prompt to authenticate;
• Use physical FIDO tokens as your MFA factor – remote attackers can’t easily spoof or socially-engineer this, so they’re much more resilient than both soft and hard tokens;
• Reduce session-token validity to 24-hours to minimise the time an attacker can maintain access before needing to again bypass MFA;
• Anticipate compromise – closely monitor Privileged Accounts to compensate for gaps in policy or visibility. Prevention is always ideal, but never a sure thing. Make sure you’re set-up to detect anomalous and unapproved activity by privileged accounts.

As many of you would have already heard, the August breach of LastPass was revealed to have been much worse than originally thought with unencrypted customer data and encrypted password vaults now confirmed to have been nicked by the attackers.

It’s hard to see how this update – the third since their initial disclosure of the breach – wasn’t designed to obfuscate the impact and shift blame to customers, with its release coinciding perfectly with the beginning of the end-of-year holiday season.

I’ve held off on publishing anything on the topic as I was hoping LastPass would come clean on their shoddy handling of the disclosure, but despite a deluge of bad press on the matter, they’ve kept silent.

Hence, this post.

I’ll start with a quick summary of what’s happened so far, before highlighting the impact LastPass’ systemic inaction and evasiveness has had on their customers and business. I’ll close by addressing the ongoing viability of LastPass as both a product, and a vendor, and what this means for the future of password managers as a security measure.

TL;DR:

After discovering evidence of compromise in their developer environment in August 2022, LastPass investigated and reported they evicted the attackers after just four days – no customer data/password vaults were affected, and the hackers only got their hands on a bit of source code and some “technical information”. No worries.

Except that despite claims by CEO Karim Toubba that the network was “physically separated” and that they had since deployed additional “enhanced security controls” and monitoring, we’ve now learned that the attackers were somehow still able to pivot into their cloud-based storage and retrieve the very data LastPass was meant to protect – customer password vaults.

Their latest advisory found the attackers leveraged the information stolen from their original compromise of their development environment in order to obtain “credentials and keys [from another employee] which were used to access and decrypt some storage volumes within the cloud-based storage service.”

While unknown, it’s possible this lateral movement could have been achieved through something as simple as a hard-coded password in a script, pilfered from the development environment in the initial intrusion.

What went wrong?

When considering the events that brought us to this point, a number of failings are apparent in three distinct areas:

1. The product – specifically, its use of outdated and inconsistent encryption implementations and master password complexity requirements. Futhermore, LastPass’ assurances that the hackers would have trouble cracking stolen password vaults hinges entirely on customers adopting “best practices” for security;
2. The response – the security team appear to have fixated on securing their source code and Production environment. This diversion of resources ultimately meant they were unable to mitigate or identify the attacker’s lateral movement into their cloud environment and consequently – to secure their crown jewels;
3. The disclosure – getting lawyers to draft a damage-minimising advisory that shifts blame and understates the risk to users; releasing it three days before Christmas and without any meaningful outcome or means of recourse for customers.

Insufficient PBKDF2 iterations

The LastPass advisory claims their product uses a “stronger-than-typical implementation” of 100,100 cycles of the PBKDF2 algorithm to salt and hash master passwords, in order to increase their resistance to password cracking.

Not only is their implementation unremarkable when compared to other password manager offerings (e.g, the free BitWarden product uses 200,001 iterations) – it’s much less than the 310,000 iterations recommended by the OWASP standard.

Moreover, LastPass only implemented this in 2018, with accounts created prior to that still only configured with the previous 5,000 iterations, making it exponentially easier for their master passwords to be brute-forced.

Worst still – some users have reported their accounts were configured with as few as 500, and even as little as one iteration (yes, a single iteration – the bare minimum) applied to their master password.

Infosec veteran Wladimir Palant has shared this detailed explanation that illustrates the potential consequences of these legacy settings. See below for a key extract from his post:

---

Legacy Password Requirements

LastPass currently requires a 12 character master password – increased from 8, back in 2018.

This change was never enforced for existing accounts, with prior users still able to log in using eight character passwords and having never received a prompt or notification warning them of the change.

While four characters may not seem like much, it could potentially increase the time taken for a single RTX 3090 GPU to crack a complex, PBKDF2-protected password up from 10 years to 363 million years.

Considering the attackers will likely have more than one graphics card at their disposal, and that some users are bound to have inadvertently used passwords present in public wordlists – those four characters may just mean the difference between compromise and safety for many customers.

Unencrypted URLs & metadata

The attackers were able to exfiltrate a significant amount of sensitive customer metadata, namely:

• Company names
• End user names
• Billing addresses
• Telephone numbers
• Email addresses
• IP addresses which customers used to access LastPass
• Website URLs from password vaults

All of these metadata fields were left unencrypted – by design – in LastPass.

Wladimir Palant cites three instances – in November 2015 (page 67), January 2017 and July 2018 – where LastPass were warned that they needed to encrypt URLs and other metadata fields in their product.

As we can see from this breach, LastPass elected to ignore those warnings.

For the hackers, the utility of this information – particularly given their theft of encrypted password vaults – is significant.

It would allow an attacker to:

1. Prioritise their cracking of vaults for users with company names, email domains, or URLs of interest, for example to:

   1. Gain access to sensitive or valuable networks by abusing valid remote access credentials;

   2. Siphon funds from customer internet banking accounts, crypto-currency wallets, etc.;

   3. Access, search for, and exfiltrate sensitive content from email accounts, or simply hijack them to conduct highly-credible phishing campaigns;

2. Potentially re-use password reset links that are still valid and hijack accounts;

3. Perform highly targeted Phishing/Vishing of users based on their sites and associated metadata.

While encrypting URLs might typically be considered overkill, its value is significantly higher when it provides the means for an attacker to easily parse and abuse stolen password vaults.

The likelihood of any one of the above scenarios happening is high, and the impact potentially severe. This is absolutely something which should have been caught in the Threat Modelling phase of LastPass’ product design process.

The issues I’ve highlighted above are just the more well-known ones – this post highlights a litany of additional flaws throughout LastPass that every user should be aware of.

The attackers were able to rummage around LastPass’ developer environment for four days, stealing source code and “technical information” that they later used to pivot into the cloud storage environment and steal customer metadata and password vaults.

The full intrusion took place over the period of four months, and while LastPass claim to have increased monitoring and deployed additional security measures, it seems to have been focused in the wrong area.

Don’t follow the bouncing ball

LastPass CEO Karim Toubba was very intentional in emphasising that the Developer environment was segmented from Production, reassuring customers that only “portions” of source code were impacted; that the attackers had been evicted, and they had taken steps to prevent further attacks.

Given the attackers were observed going after and obtaining LastPass source code in their initial attack, the assumption was likely made that this was their primary objective. Given this, their security teams would have been directed to prioritise protecting it from further unauthorised access, and ensuring the actors never made it to the Production environment.

While seemingly logical, this highlights two points of failure in their response:

1. They followed the bouncing ball, focusing on protecting their source code while neglecting to consider the need for increased monitoring and hunting for anomalous access to their other crown jewel – customer metadata and password vaults;
2. They fixated on enforcing and monitoring the boundary between Development and Production environments, neglecting to consider the security of other environments such as their cloud storage.

While assumptions have to be made when deciding how to respond to an incident, defenders need to be mindful that they aren’t following an assumed linear path of intrusion. Attackers can have multiple primary and secondary objectives, and take any one of a multitude of paths to get there.

In this case, it would have also been valuable to review the stolen contents for authentication material/potential lateral movement paths that the attacker could leverage in their attempts to regain access or attack other environments. This would have potentially enabled LastPass to better direct their investigative and remediation efforts in the wake of the initial breach.

Having clearly defined “crown jewels” and operating environments is a core consideration when performing Threat Modelling, and would have been instrumental in ensuring monitoring and hunting resources were appropriately distributed in a planned – not reactive – manner, when seeking to contain and mitigate this long-running attack.

You can tell a lot about a person through the way they acknowledge – or don’t acknowledge – their mistakes, and the same goes for companies.

I won’t delve into this much, because I think LastPass’ handling of this breach speaks for itself.

The bottom line is that I’m unable to trust a company that tries to hide from its responsibility by citing false claims of implementing “stronger-than-typical” cryptography; puts the onus on customers to have followed their best practices guide, and fails to address systemic issues in its core product over a period of years.

LastPass’ viability as a Product

While the headline is that LastPass failed to evict their attackers and a substantial amount of data was stolen, the breach has highlighted fundamental flaws in their product’s design and how they have (or have not, in this case) maintained it.

Improvements to security standards (i.e. the iterations of the PBKDF2 algorithm and master password length requirements) weren’t applied retrospectively to existing accounts, meaning their assurances of how hard it’d be to brute force a master password count for very little. As it turns out, they were prompted multiple times by Wladamir Palant to do so, but appear to have falsely claimed to have done so, in order to get him to stop asking.

Furthermore, by stealing customers password vaults, the attacker can bruteforce the master password at their leisure with the added benefit of having bypassed any value MFA would have provided against a remote attack. Again, this is something that should have been considered as part of a Threat Modelling exercise when designing the product.

It’s clear the LastPass product design is deeply flawed, poorly maintained, and uncompetitive with other free and paid alternatives such as BitWarden and 1Password.

The end of Password Managers?

Password Managers allow the ordinary user to use complex and unique passwords for each site and service they use – that alone makes it an essential protection against credential stuffing, spraying, and brute force attacks.

This breach has simply made it clear that LastPass is in a class of their own, and in all the wrong ways.

Free offerings such as BitWarden implement a total of 200,001 PBKDF2 iterations between the client and server, with important metadata such as your originating IP and site URLs either not being logged, or encrypted within your vault.

1Password is a mature, paid alternative to LastPass that is unique in that in addition to using a master password, it requires an additional Secret Key when attempting to access your password vault. This key is stored locally on your device, meaning even if an attacker was able to dump a copy of your vault like they did with LastPass, they wouldn’t be able to brute-force it without also compromising your device to extract that Secret Key.

Please note I’ve provided these examples not to steer you in either direction, but to give you a starting point in picking an alternative, if you or your organisation are among those affected.

Password managers are a great solution that has real-world benefits to both individuals and businesses – LastPass appears to have simply dropped the ball in spectacular fashion in this case, while there are plenty of others that haven’t.

---

Further Reading

1. LastPass’ December Notification: https://blog.lastpass.com/2022/12/notice-of-recent-security-incident
2. A summary of what the attacker was able to steal and what impact it has: https://grahamcluley.com/lostpass-after-the-lastpass-hack-heres-what-you-need-to-know/
3. A breakdown of why LastPass’ disclosure was misleading and an act of bad faith for customers: https://palant.info/2022/12/26/whats-in-a-pr-statement-lastpass-breach-explained/
4. A Class Action law suit has been filed against LastPass: https://mastodon.social/@campuscodi/109633075256191444
5. How the breach impacts LastPass SSO: https://medium.com/@chaim_sanders/how-the-lastpass-breach-affects-lastpass-sso-ada0c8bffd83
6. Reporting on the August breach: https://www.bleepingcomputer.com/news/security/lastpass-developer-systems-hacked-to-steal-source-code/
7. Follow-up in September: https://www.bleepingcomputer.com/news/security/lastpass-says-hackers-had-internal-access-for-four-days/
8. Article on the December notification: https://www.bleepingcomputer.com/news/security/lastpass-hackers-stole-customer-vault-data-in-cloud-storage-breach/

---

 ***** Start Executive Tearline *****

Cyber criminals will consistently seek out the path of least resistance when searching for victims to attack. Unfortunately for Australia, it has served as the proverbial lighting rod for the latest strikes that have resulted in data theft and extortion attacks against our second largest Telco, Optus; our largest private health insurer, Medibank, and more.

This is part of a larger trend, with one cyber security vendor reporting an 81% increase in attacks on Australian organisations in the 11 months to June 2022, and another finding there was a 56% increase in ransomware attacks targeting entities in Asia over the first three quarters of 2022.

Australian legislators are responding by calling for increased financial penalties and scrutiny for companies that suffer serious data breaches, which builds on a two-part Bill targeting critical infrastructure operators that passed into law earlier this year.

Prepare for a changing regulatory environment, greater oversight

Australia has already significantly bolstered critical infrastructure protections through passing the Security Legislative Amendment (Critical Infrastructure Protection) Bill 2022 (a.k.a. the SLACI Act), and is attempting to achieve a similar outcome for personal data with the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which was introduced into Parliament on the 26th of October.

If passed, this bill will:

1. Significantly increase the potential penalty for “serious or repeated privacy breaches”;

2. Provide the Office of the Australian Information Commissioner (OAIC) with powers to:

   1. Request information and conduct compliance assessments of the notifiable data breach regime;

   2. Require entities to conduct external reviews of their internal processes and to notify affected individuals of specific privacy breaches;

3. Establish information sharing powers for the OAIC and Australian Communications and Media Authority (ACMA).

The government is also taking steps to empower enforcement agencies, announcing in the recent Federal Budget that the OAIC would receive an additional $5.5 million in funding over two years to help it “investigate and respond” to the Optus breach, and a further 48 staff in the next financial year to boost its overall workforce.

As mentioned, all this is in addition to the SLACI Act which applies to organisations operating in 13 critical infrastructure sectors. The Act establishes increased reporting obligations; mandates the adoption of a risk management program, and affords the government step-in powers in the case of a cyber incident impacting an organisation governed by the Act.

A full summary of what this means for affected organisations can be found here.

Recommendations

Organisations operating in a sector governed by the SLACI Act should familiarise themselves with what it means for them and take immediate steps to ensure compliance if you aren’t already, as it is already in force.

Obligations stemming from this Act may be further compounded by measures laid out in the Privacy Legislation Amendment Bill currently before Parliament if it is passed. You can monitor the progress of the Bill by clicking the “Track” button on the official Parliamentary Business page.

Regardless of the outcome, it’s worth noting the key factors that brought the Optus and Medibank breaches into the public spotlight were:

1. Their market presence, and subsequently the number of individuals impacted;
2. The criticality of the services provided – both Optus and Medibank are captured under the SLACI Act;
3. The sensitivity of the stolen data, and its potential to be abused for identity theft and fraud.

Organisations whose business model alligns with the above factors would benefit greatly from proactively evaluating existing data security measures; investing in Data Loss Prevention measures, and establishing Incident Response and Cyber Security Monitoring teams and processes.

***** End Executive Tearline *****

---

Privacy Matters – How did we get here?

A sudden burst of high-profile breaches this month has cast a spotlight squarely on Australian organisations and government agencies. Specifically, it has raised questions on their ability to both prevent and respond to breaches of their networks and sensitive customer information.

The theft of 9.8 million customer records from Australia’s second-largest Telco, Optus, has been followed swiftly by another data breach impacting Medibank – the largest health insurer in Australia.

Interestingly, in a seven day period in that same week, PII of some 500,000 subscribers to Australian wine retailer Vinomofo were stolen from a test system; online retailer MyDeal suffered a breach of 2.2 million customer records, and energy company EnergyAustralia reported unauthorised access to the accounts of 323 residential and business customers.

Unlike the breaches of Optus and Medibank, these quickly fell out of the news cycle. Why?

At first glance you might think the quantity of breached records for MyDeal or criticality of EnergyAustralia’s systems might warrant more scrutiny or outrage, but what is consistent in these three breaches is the type and sensitivity of data that was stolen.

In the cases of both Medibank and Optus, key identity documents such as drivers license or Medicare details were stolen. A Drivers license alone is sufficient to satisfy regulatory requirements for a bank’s Customer Identification Process, while paired with a Medicare card it will count for 75 of 100 points of ID required for a National Police Check.

The potential for identity theft – and at such a huge scale – clearly delineates the Optus and Medibank breaches from the more commonplace thefts of personal data or credit card information, and has forced the Australian government to take decisive action.

It’s against this backdrop that the Australian Government have introduced a Bill to Parliament which seeks to increase penalties for “serious or repeated privacy breaches” and provide the key privacy watchdog – the Office of the Australian Information Commissioner – more powers to tackle privacy breaches.

This measure comes on the heels of the previous government’s proposed – but not legislated – criminal penalties for ransomware attacks on critical infrastructure, and a landmark two-stage Critical Infrastructure Protection Bill that became law in April this year.

Lessons Learned from Medibank’s Response

Medibank have struggled from the onset to identify and contain the scope of this breach, with each new discovery appearing to have been revealed by the attacker, and not the investigators themselves.

After initially stating they had intercepted the attack before customer data could be obtained, Medibank quickly backtracked after the attacker contacted them with evidence of customer policies and PII they had stolen, claiming to have exfiltrated 200GB of data in total. The attacker further threatened to find data of prominent customers and “people with very interesting diagnoses” and email it to them in order to further exert pressure on Medibank to negotiate a ransom payment.

The scale of this breach has since grown to further encompass customers of the main Medibank brand, and has to potential to impact a further 3.9 million individuals.

From what we know so far, three key failings can be observed:

1. The compromise was not only discovered too late, but mistakenly concluded that the breach was contained without impact to customer data. Investigators failed to uncover evidence of data exfiltration before the actor made contact demanding payment;
2. More broadly, there appears to be a lack of network visibility, accesses, and/or immature IR capability and practices, which have hampered their ability – at every step – to adequately gauge the scope of the breach;
3. Medibank’s lack of cyber insurance is expected to result in an estimated cost of $25 – $ 35 million to respond to the cyber incident. This represents as much as 23% of their unallocated capital; does not include “further potential customer and other remediation, regulatory or litigation related costs”, and may climb further, the longer the incident drags on and if systems need to be recovered.

It is imperative that organisations and security practitioners heed the lessons learned here, in order to ensure history doesn’t repeat itself.

---

Increased targeting of Australian entities in 2022

The recent spate of compromises of Australian companies comes on the tail of a period of increased targeting of entities operating not just in Australia, but the broader Asia region.

Cyber security vendor Imperva recently reported they observed an 81% increase in attacks on Australian organisations in 11 months to June 2022. Attacks they rated as “critical” rose 230% between August 2021 and May this year – nearly twice the global rate during the same period.

A fellow industry player, Sonicwall, has highlighted a drastic shift in targeting away from the US and UK in preference of Europe and Asia-based targets over the first three quarters of 2022. Organisations in Asia saw a 38% increase in malware delivery, and a staggering 56% increase in ransomware attacks compared to 2021.

Where to from here?

Just this week Microsoft released a report looking at a ransomware actor it tracks as DEV-0832, noting that “the group is financially motivated and continues to focus on organizations where there are weaker security controls and a higher likelihood of compromise and ransom payout.”

This brings us back to my original point from the start of this piece – cyber criminals will consistently seek out the path of least resistance, and so it’s imperative that your organisation nails the basics to avoid being targeted.

The vast majority of cyber incidents stem from one of three attack vectors:

1. Compromising vulnerable internet-facing assets – typically resulting from unpatched vulnerabilities;
2. Delivering malware via Phishing emails;
3. Stolen credentials – these can be purchased trivially on the Dark Web; and according to a “source close to the [Medibank] investigation”, were the root cause of the ongoing breach;

Recommendations: Protect & Detect

Implement Multi-Factor Authentication (MFA) across all user accounts

MFA is your best bet to preventing unauthorised access to internal resources and systems – even if a set of valid user credentials are compromised, an attacker won’t be able to log in without that second factor of authentication.

While highly effective against low-sophistication attacks such as password spraying and credential stuffing, no defence is perfect (demonstrated through the 0ktapus compromises, for example), which is where recommendation #2 comes in:

Enforce granular Conditional Access policies

In addition to requiring an additional authentication factor, major identity providers – such as Microsoft’s Azure Active Directory – provide the ability to configure strict requirements for devices that login attempts originate from.

The specific criteria you can apply depends on the technologies you have, but can include things like:

1. Requiring the device to be enrolled in your company MDM (e.g. Microsoft Intune);
2. Ensuring the remote asset is fully patched and has an up-to-date antivirus running;
3. Restricting the physical location and/or IP address space the authentication event can originate from;
4. Preventing authentication from devices not connected to the company VPN.

Implement/plan for adoption of FIDO Keys

While soft tokens such as SMS or App-based offerings are low-cost and relatively straightforward to implement, FIDO keys (e.g. the Yubikey) can be used as a physical token in the MFA authentication flow. This makes abusing stolen credentials virtually impossible for remote attackers, as they aren’t able to steal physical tokens in the same way they can soft tokens, in order to bypass MFA.

youtube

🔑How does a FIDO security key limit the hacks we’re seeing in the news now?🔑
Beyond fun to work with @Yubico & partner with @Twitter to answer that question + demo how social engineering is used to steal passwords & siphon out MFA codes to gain admin access with @evantobac. — Rachel Tobac (@RachelTobac) 5:19 PM ∙ Sep 28, 2022

While initially highly effective, attackers have adapted to bypass soft token-enabled MFA protections, with services such as the EvilProxy (a.k.a. Moloch) Phishing-as-a-Service platform being sold on Dark Web forums for as little as $400 per month, and able to programmatically bypass both Google and Microsoft’s SMS and Mobile App-enabled MFA.

The impact of this approach was seen at scale in the ScatterSwine/0ktapus compromises, with over 130 organisations compromised through a series of attacks that abused stolen user credentials and intercepted MFA codes to access their internal networks and data.

Microsoft have shared detailed guidance on how to implement stringent MFA and Conditional Access Policies in order to protect against attempts to socially engineer MFA approval, and have recently released an update to their Authenticator app to introduce number matching and provide additional context to MFA requests.

Monitor for PUPs, in particular Remote Management Software

Potentially Unwanted Programs (PUPs) are a challenge for every organisation, though special attention should be paid to Remote Management Software such as AnyDesk, Teamviewer, and Atera.

While predominantly used for legitimate purposes, these tools have been abused by cyber crime and ransomware actors who install attacker-controlled copies of the software in order to gain and maintain access to victim networks.

This research from Synacktiv is an excellent resource for Defenders looking to better understand and detect these tools on your networks.

Monitor for insider threats & unusual user activity

Attackers can’t do much without compromising an identity with the right permissions and accesses – this makes monitoring for uncharacterstic user behaviour an essential measure that can help identify potential compromise. As a minimum, Defenders should look to identify and investigate anomalous login activity and attempts to access resources outside of their business area or remit.

Trusted insiders are one of the most difficult initial access vectors to identify, due to the legitimacy of the recruited insider and their pre-existing knowledge of the network. The Lockbit ransomware crew attempted in August last year to recruit insiders with the promise of multi-million dollar payouts, and the Lapsus$ threat group are known to have paid employees for credentials and MFA approval as part of their wide-ranging hacking spree that hit Microsoft, NVIDIA, Samsung, and more.

Implementing User Behavioural Analytics and Data Loss Prevention solutions can help identify potential Insider Threats, though a good low-cost starting point is to selectively deploy Canary Tokens in your most sensitive network locations and files.