From the article "“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,”
“According to a person briefed on a private report from LastPass and spoke on the condition of anonymity, the media software package that was exploited on the employee’s home computer was Plex.”
While I’m aware probably nothing will be acknowledged or admitted here or elsewhere regarding the accuracy of the report, or if the alleged exploit has since been identified and patched, I felt like this was worth sharing so end users can at least be aware. Perhaps there are others who hold keys to kingdoms that may want to uninstall Plex from those systems as a result.
As I have said in the threads over the years in the couple of other ‘security’ issues with Plex in my 10 years with them, I don’t expect total impunity to hackers but I do expect total transparency from Plex and with urgency.
Please note it was supposedly someone that had seen the report from LastPass that said it may have been a security hole in Plex that allowed a keylogger to be run. Anyone that believes anything that LastPass says is a fool.
As one person said in the comments …
unless he was running a (Plex) version from prior to mid-2020, it didn’t have a remote code execution flaw that we know about, and at no point did the article say that it did or even imply that.
Yeah, it would be nice to have some communication from Plex here, even if it’s just “we are looking into it and will have an update as soon as possible”. Just some kind of acknowledgment and letting us know if we should be restricting any access. Who knows maybe he had a really out of date version or poor security on user accounts, but not hearing anything is troubling.
By evaluating Plex and the extreme difficulty they have making basic functions reliable or breaking something by fixing another then there is a high probability this software is nowhere near secure.
Prove otherwise.
Better lock down your remote Plex ports to authorized subnets only.
While I understand that LastPass has not been forthcoming, I would not translate that to “I wouldn’t believe anything from LastPass”. Surely what they say should be suspect until proven. Anyways, I switched to a self-hosted instance of VaultWarden/BitWarden long ago.
We have not been contacted by LastPass so we cannot speak to the specifics of their incident. We take security issues very seriously, and frequently work with external parties who report issues big or small using our guidelines and bug bounty program. When vulnerabilities are reported following responsible disclosure we address them swiftly and thoroughly, and we’ve never had a critical vulnerability published for which there wasn’t already a patched version released. And when we’ve had incidents of our own, we’ve always chosen to communicate them quickly. We are not aware of any unpatched vulnerabilities, and as always, we invite people to disclose issues to us following the guidelines linked above. Given recent articles about the LastPass incident, although we are not aware of any unpatched vulnerabilities, we have reached out to LastPass to be sure.
I understand they weren’t exactly truthful in the past. That does not translate to 100% of everything that comes out of their mouth being 100% a lie. Would I be suspicious of what they say? Certainly. But to lie 100% of the time would mean to pull a Geroge Stantos and I’d say even he tells the truth on occasion. I guess that’s the difference between you and me. It’s a question of absolutes and I try to steer clear of them because they are always wrong - 100% of the time!
I sympathize with Plex here; unless LastPass or the employee in question chooses to cooperate, they don’t really have any details to go on–and so also no way to assuage our concerns.
EDIT: That said, for the time being, I’ve disabled remote access.
To be pedantic here for a second - that’s exactly what absolutes are. When you say “anything” you are stating it in absolute terms, IOW without exception. As an example, if LP was to say “The sky today was blue and Plex had nothing to do with our breach” you’d have to question the sky is blue part equally as the second part in order for the term anything to make any sense. That’s how English and absolutes work.
We now return you to our conversation about Plex and LP… already in progress.
Of course we understand there are not concrete details yet, but I’m sure you can understand why even a threat of an RCE in the Plex software could be very nervous. Transparency is key here.
To be more clear, nobody should be pointing fingers, we just need everyone to be aware of what’s being reported just in case. We could totally end up finding out it was a “Plex server” that was pwned by a Windows or Linux vuln or that the whole thing was BS, or one of 19 million other things. Point being - If my company was being “associated” with some kind of 0day obviously I’d want to be on high alert, looking for IOC’s, reviewing logs, and making sure my customers know we’re aware of the “reports” and looking into it.
