Two ongoing phishing campaigns are targeting LastPass, Bitwarden, and 1Password customers with fake breach alerts in an attempt to distribute malware.
In the cases of LastPass and Bitwarden, hackers are impersonating the two popular password management brands and falsely telling victims that the companies have been hacked.
The hackers go on to say that users should install a more secure version of the password management apps by following a link in the email body.
However, these links actually lure users into downloading a binary that installs Syncro, a legitimate Remote Monitoring and Management (RMM) tool, according to BleepingComputer. The attackers then used Syncro to launch ScreenConnect, a remote access and support software. From there, they could deliver malware to victims’ devices, steal data, and compromise their password vaults through saved credentials.
Following the campaign, LastPass has denied any attack against its systems.
“LastPass has NOT been hacked, and this is an attempt on the part of a malicious actor to draw attention and generate urgency in the mind of the recipient, a common tactic for social engineering and phishing emails,” the vendor says.
LastPass added that the campaign took place over a holiday weekend in the US, which could have been planned by the threat actors in order to take advantage of reduced staffing and, therefore, delayed detection and response.
At the time of writing, LastPass is working to have malicious domains taken down, while Cloudflare is blocking access to—and posting warnings in front—of the malicious landing pages included in both LastPass and Bitwarden impersonation attempts.
Syncro also confirmed in a statement to BleepingComputer that the platform itself was not compromised, but abused by a threat actor, who created an account to use for nefarious purposes. The vendor has since identified the malicious accounts and shut down the installs to prevent further attacks.
Phishing For Master Passwords
In addition to the campaign impersonating LastPass and Bitwarden, another phishing campaign has been targeting 1Password users with emails claiming that the victims’ accounts had been compromised.
Victims were directed to click on a link to reset their master passwords; this directed them to a phishing page where they were encouraged to “verify” their account by entering their email address, the secret key associated with their account, and their current master password—in other words, all the information the attackers would need to log into 1Password as the victim and steal all their saved credentials.
Recommended Action
LastPass urges users to remember that no-one at LastPass will ever ask them for their master password. If unsure whether communications seemingly from the company are legitimate, users should submit them to [email protected].
Users of other password managers should also never reveal their master password and, if concerned about their accounts, should check the vendor’s official website for breach updates. In addition, organizations should conduct regular security awareness training to help users identify phishing attempts, encourage users to enable multi-factor authentication for their password managers, and ensure they keep their password management software up to date to avoid the exploitation of known vulnerabilities.
