Phishing Campaign Impersonates LastPass and Bitwarden to Distribute Remote Access Tools
Threat actors have launched a sophisticated phishing campaign targeting users of the password managers LastPass and Bitwarden. The attackers send well-crafted emails that falsely claim LastPass or Bitwarden has suffered a security breach, urging recipients to download a new, supposedly more secure desktop version of the password manager. These emails are designed to create a sense of urgency and exploit social engineering tactics, with the goal of tricking users into downloading a malicious binary. Upon execution, the binary silently installs Syncro, a remote monitoring and management (RMM) tool commonly used by managed service providers. Once Syncro is installed, the attackers use it to deploy ScreenConnect, a remote support and access software, enabling them to further compromise the victim's system. This access allows the threat actors to deliver additional malware, steal data, and potentially compromise password vaults stored on the affected machines. The phishing emails are sent from addresses such as ‘hello@lastpasspulse[.]blog’ and ‘hello@lastpasjournal[.]blog’, and they mimic official security alerts from LastPass and Bitwarden. The messages claim that older .exe installations of the password managers are vulnerable and that users must upgrade to a new MSI installer to protect their vault data. LastPass has publicly denied any breach of its systems, clarifying that the emails are fraudulent and part of a social engineering scheme. The campaign began over a weekend, likely to take advantage of reduced staffing and slower detection during the holiday period. Bitwarden users have also been targeted with similar phishing emails, indicating a broad scope for the campaign. The attackers' use of legitimate remote access tools like Syncro and ScreenConnect makes detection and remediation more challenging for victims. The campaign follows a similar pattern to previous phishing attacks against users of other password managers, such as 1Password. Security experts warn that the use of trusted brand names and plausible security narratives increases the likelihood of user compromise. Organizations are advised to educate users about the risks of unsolicited security alerts and to verify any requests for software updates directly with the vendor. The incident highlights the ongoing threat posed by phishing campaigns that leverage trusted brands and remote access tools to gain control over user systems and sensitive data. Both LastPass and Bitwarden have issued statements to reassure users and provide guidance on identifying and avoiding these phishing attempts. The campaign demonstrates the evolving tactics of cybercriminals in targeting password manager users, who often have access to highly sensitive credentials. Security teams should monitor for unauthorized installations of RMM tools and implement controls to prevent lateral movement and data exfiltration. The incident underscores the importance of layered security defenses and user awareness training in mitigating the impact of phishing attacks.
Sources
Related Stories
Phishing Campaigns Impersonate LastPass to Steal Credentials and Deploy Remote Access Tools
Threat actors have launched sophisticated phishing campaigns impersonating *LastPass* to trick users into revealing their master passwords and, in some cases, to install remote access tools. One campaign, attributed to the financially motivated group **CryptoChameleon (UNC5356)**, sends emails claiming a family member has requested access to the victim's LastPass vault via a fabricated death certificate, exploiting the service's emergency access feature. Victims are directed to fraudulent sites mimicking LastPass, where they are prompted to enter their credentials or passkeys. In some instances, attackers have also called victims while posing as LastPass staff to further legitimize the scam. A separate but related campaign targets users of both *LastPass* and *Bitwarden* with fake breach notifications, urging them to download a "secure" desktop version of the password manager. The download actually installs the Syncro remote monitoring and management (RMM) tool, which is then used to deploy ScreenConnect for remote access. This allows attackers to steal data, deploy additional malware, and potentially access password vaults. Both LastPass and Syncro have taken steps to warn users and disrupt the malicious infrastructure, emphasizing that no legitimate communication will ever request a master password and advising users to verify suspicious emails.
4 months agoPhishing Campaigns Exploiting Trusted Brands and Services
Threat actors have intensified their use of phishing campaigns by impersonating well-known brands and trusted online services to deceive victims and steal sensitive credentials. In one campaign identified by the Cofense Phishing Defense Center, attackers targeted individuals in social media and marketing roles by sending fake job application emails that appeared to originate from major companies such as Red Bull, Tesla, Google, and Ferrari. These emails used convincing language and branding, including up-to-date logos and tailored subdomains, to increase their legitimacy and lure recipients into clicking malicious links. The attackers further enhanced the credibility of their messages by spoofing the sender address to appear as if it came from a legitimate domain, such as Xero, which has been abused in previous phishing incidents. The phishing process often began with a CAPTCHA page to create a sense of security before redirecting victims to fraudulent login pages designed to harvest credentials. This approach demonstrates a sophisticated understanding of social engineering tactics and the value of resume and personal information in targeting specific job seekers. In a separate but similarly themed incident, a Malwarebytes employee was targeted by a phishing email that impersonated 1Password, a popular password manager. The email falsely claimed that the recipient's 1Password account had been compromised and urged immediate action, including changing the account password and enabling two-factor authentication. The message mimicked legitimate security alerts, referencing 1Password's Watchtower feature, but included subtle red flags such as a sender address not associated with 1Password and a malicious link disguised as a legitimate action button. The phishing link directed users to a typosquatted domain, onepass-word[.]com, rather than the official 1Password website. Interestingly, the email's 'Contact us' link routed through a legitimate support page but used a redirect service, further complicating detection. The use of Mandrillapp, a transactional email delivery service, added another layer of apparent legitimacy to the phishing attempt. Both campaigns highlight the increasing sophistication of phishing attacks, with threat actors leveraging trusted brands and services to bypass security filters and exploit user trust. The attackers' use of brand-specific subdomains, authentic-looking graphics, and familiar communication styles makes these phishing emails particularly convincing. By targeting individuals with tailored messages, such as job seekers or users of specific online services, the campaigns increase the likelihood of successful credential theft. The abuse of legitimate infrastructure, such as Xero's email services and Mandrillapp, demonstrates how attackers can exploit trusted platforms to evade detection. Security teams are advised to educate users about the signs of phishing, including checking sender addresses, scrutinizing URLs, and being wary of urgent requests for sensitive information. Organizations should also monitor for abuse of their brand in phishing campaigns and work with email providers to block malicious domains. The incidents underscore the need for robust email security solutions and ongoing vigilance against evolving social engineering tactics. As phishing campaigns continue to evolve, both individuals and organizations must remain alert to the latest techniques used by cybercriminals to compromise accounts and steal valuable data.
5 months agoPhishing Campaign Exploits LastPass Legacy Inheritance Process
Threat actors from the group **CryptoChameleon** have launched a sophisticated phishing campaign targeting *LastPass* users by exploiting the password manager's legitimate legacy inheritance process. Victims receive emails falsely claiming that a family member has submitted a death certificate to gain access to their password vault, with urgent instructions to respond if the recipient is not deceased. The phishing emails contain links to fake LastPass pages designed to steal users' master passwords, and in some cases, attackers have posed as LastPass staff via phone calls to further pressure victims into divulging credentials. The campaign leverages convincing social engineering tactics, including the use of agent ID numbers and passkey-themed phishing domains such as `mypasskey[.]info` and `passkeysetup[.]com`. Attackers also mimic sign-in pages for Gmail, iCloud, Okta, and Outlook to target users' cryptocurrency wallets on platforms like Binance, Coinbase, Kraken, and Gemini. LastPass has warned that these phishing sites are increasingly focused on stealing passkeys, reflecting both the growing adoption of passkeys and their value in protecting high-value assets. Users are advised to remain vigilant and avoid interacting with suspicious emails or providing credentials on unfamiliar sites.
4 months ago