An ongoing phishing campaign is targeting LastPass and Bitwarden users with fake emails claiming that the companies were hacked, urging them to download a supposedly more secure desktop version of the password manager.
The messages direct recipients to download a binary that BleepingComputer has discovered installs Syncro, a remote monitoring and management (RMM) tool used by managed service providers (MSP) to streamline IT operations.
The threat actors are using the Syncro MSP program to deploy the ScreenConnect remote support and access software.
'Vulnerable' old .EXE installs
In a threat alert this week, LastPass makes it clear that the company did not suffer any cybersecurity incident and that the messages are a social engineering effort by a threat actor.
"To be clear, LastPass has NOT been hacked, and this is an attempt on the part of a malicious actor to draw attention and generate urgency in the mind of the recipient, a common tactic for social engineering and phishing emails," LastPass says.
According to the company, the campaign started over the weekend, presumably to take advantage of the reduced staffing over the Columbus Day holiday weekend and delay detection.
The phishing emails are well crafted and urge recipients to install a more secure desktop app that LastPass developed as an MSI replacement for the "outdated .exe format" that had weakenesses that allowed access to vault information.
“Attackers exploited weaknesses in older .exe installations, which could, under certain conditions, allow unauthorized access to cached vault data,” reads the fake security alert from the threat actor.
Phishing email impersonating LastPass
... continue reading