An ongoing phishing campaign is targeting LastPass and Bitwarden users with fake emails claiming the companies have been hacked, urging them to download a more secure desktop version of the password manager.
The messages direct recipients to download a binary discovered by BleepingComputer, which installs Synchro, a remote monitoring and management (RMM) tool used by managed service providers (MSPs) to streamline IT operations.
Threat actors are using the Synchro MSP program to deploy ScreenConnect Remote Support and Access software.
‘Unsafe’ old .EXE install
In a threat alert this week, LastPass made it clear that the company has not suffered any cybersecurity incidents and that the message is a social engineering attempt by a threat actor.
“To be clear, LastPass has not been hacked, and this is an attempt on the part of a malicious actor to gain attention and create urgency in the recipient’s mind, which is a common tactic for social engineering and phishing emails,” LastPass said. They say,
According to the company, the campaign began over the weekend, presumably to take advantage of reduced staffing and delayed detection on the Columbus Day holiday weekend.
The phishing emails are well-crafted and urge recipients to install a more secure desktop app, which LastPass developed as an MSI replacement for the “old .exe format,” which had vulnerabilities that allowed access to Vault information.
“Attackers exploited a vulnerability in an older .exe installation that, under certain conditions, could allow unauthorized access to cached Vault data,” the threat actor’s fake security alert reads.
Source: BleepingComputer
LastPass notes that the fraudulent messages ‘come from’hello@lastpasspalse(.)blog‘But BleepingComputer also saw emails sent fromhello@lastpasjournal(.)blog,
Bitwarden users also targeted
Phishing emails also impersonate Bitwarden and share the same writing style and lure in an attempt to create a sense of urgency and convince recipients to follow a download link to a better desktop application.
Yesterday, BleepingComputer received a notice from ‘hello@bitwardenbroadcast.blog‘ Describing a similar security incident that prompted the release of a secure client app that users need to install.
Source: BleepingComputer
At the time of writing, Cloudflare is blocking access to landing pages included in fraudulent emails and flagging them as phishing attempts.
Valid device for remote access
BleepingComputer retrieved binary samples distributed in phishing emails targeting LastPass and Bitwarden users and found that they are functionally identical.
The malware installs the Synchro MSP Platform Agent with parameters that hide its system tray icon in an attempt to keep the user unaware of the new tool.
Based on our observations, Synchro’s sole purpose appears to be to deploy the ScreenConnect Support Tool as a “bring your own” installer, providing the threat actor with remote access to the endpoint.
Synchro Agent is configured with very few options, which suggests that threat actors are limited to only their essential functionality.
The configuration files show that the agent checks with the server every 90 seconds. It does not have built-in remote access enabled and does not deploy the remote support utilities Splashtop, which is bundled with the Synchro platform, or TeamViewer, for which an integration exists.
Additionally, the extracted configuration did not include policies for deploying security solutions on compromised endpoints, and the Emsisoft, Webroot, and Bitdefender agents were disabled.
Once ScreenConnect is installed on a device, threat actors can remotely connect to the target’s computer and deploy further malware payloads, steal data and potentially access users’ password vaults via saved credentials.
1Phishing for password accounts
Last week, another Campaign targeted 1 password The emails falsely alert users that their accounts have been compromised. Indicators of that activity varied from the wording in the message and the landing URL to the sender’s address (watchtower@eightninety(.)com).
Source: Malwarebytes
Researchers at cybersecurity company Malwarebytes say users who clicked on the embedded button were taken to a phishing page (onepass-word(.)com) via the Mandrillapp redirect.
1There were attacks targeting passwords First reported by Brett Christensen (Hoax-Slayer) on September 25.
Source: Malwarebytes
Users of password management tools should ignore such alerts and always log in to the provider’s official website to check for any security alerts pending for review.
Critical security incidents claimed in emails are also widely communicated through companies’ blogs and press releases, so it’s always a good practice to double-check on official channels.
It’s also worth remembering that companies will never ask for the master password of your vault.
attend Breach and Attack Simulation Summit and experience future of security verificationHear from top experts and see how AI-powered BAS Changing breach and attack simulations.
Don’t miss the event that will shape the future of your security strategy
