The hacker exploited a vulnerability in the Plex Media Server software that was patched in May 2020. 'The version that addressed this exploit was roughly 75 versions ago,' Plex says.
It turns out the
massive breach at
LastPass could have been stopped, or at least delayed, if a company employee had updated a piece of software on their home computer.
This week, LastPass revealed the hacker
pulled off the breach by installing
malware on an employee’s home computer, enabling them to capture keystrokes on the machine. But one lingering question was how the malware was delivered.
At the time, LastPass
said(Opens in a new window) only that the hacker exploited “a vulnerable third-party media software package,” without naming the vendor or the exact flaw. That led many to wonder if the hacker had abused a currently unknown vulnerability, which could put many other users in harm’s way.
PCMag has since learned the hacker targeted the
Plex Media Server software to load the malware on the LastPass employee's home computer. But interestingly, the exploited flaw was nothing new. According to Plex, the vulnerability is nearly three years old and was patched long ago.
Plex told PCMag the vulnerability is
CVE-2020-5741(Opens in a new window), which the company publicly disclosed to users in May 2020. “An attacker who already had admin access to a Plex Media Server could abuse the Camera Upload feature to make the server execute malicious code,” the company said back then.
www.pcmag.com
