Beware Fake Password Manager Breach Alerts Hijacking PCs
â–Ľ Summary
– A phishing campaign is sending fake emails to LastPass and Bitwarden users, falsely claiming the companies were hacked and urging downloads of a “more secure” desktop app.
– The malicious emails direct users to install a binary that deploys Syncro, a remote monitoring tool used to install ScreenConnect software for unauthorized remote access.
– LastPass confirms no security breach occurred and identifies the emails as a social engineering tactic timed to exploit holiday weekend staffing gaps.
– The phishing campaign also targets Bitwarden users with similar fake security alerts and download links, which are now being blocked by Cloudflare as fraudulent.
– Users should ignore such alerts, verify security notices through official channels, and never share their master password, as legitimate companies won’t request it.
A sophisticated phishing operation is actively targeting individuals who use LastPass and Bitwarden, sending fraudulent emails that falsely report security breaches at these companies. The messages pressure recipients into downloading a malicious desktop application, supposedly a more secure version of their password manager. Instead of providing enhanced protection, this software installs a remote access tool called Syncro, which cybercriminals exploit to gain control over victims’ computers.
Security researchers have confirmed that the downloaded file deploys Syncro, a remote monitoring and management platform typically used by IT service providers. Attackers are leveraging this tool to install ScreenConnect, a remote support application that provides them with unauthorized access to the infected systems. LastPass has officially stated that no breach of their services occurred, labeling the campaign a deliberate social engineering attack designed to create panic and urgency.
The deceptive emails began circulating over a holiday weekend, a timing choice likely intended to capitalize on reduced IT staffing and slower response times. These messages are convincingly written, claiming that older .EXE installer formats contained vulnerabilities permitting unauthorized access to password vaults. Recipients are urged to replace these with a new, secure desktop client. The emails originate from fabricated domains made to look official, such as ‘hello@lastpasspulse[.]blog’ and ‘hello@lastpasjournal[.]blog’.
Bitwarden users are also being targeted by nearly identical phishing attempts. Notifications supposedly from ‘hello@bitwardenbroadcast[.]blog’ describe a fabricated security incident and push users to download an updated desktop application. At present, Cloudflare is blocking the fraudulent landing pages linked in these emails, flagging them as phishing sites.
Analysis of the malicious files reveals they consistently install the Syncro MSP agent, configured to run discreetly without a system tray icon. This stealth approach helps the tool remain undetected. The agent’s setup is minimal, focusing only on deploying ScreenConnect to establish a remote connection. It checks in with a command server every 90 seconds but does not activate other remote utilities like Splashtop or TeamViewer. Additionally, the configuration disables several security agents, including those from Emsisoft, Webroot, and Bitdefender.
Once ScreenConnect is active, attackers can remotely operate the compromised computer. This access allows them to install additional malware, extract sensitive information, and potentially obtain master passwords or other credentials stored on the device.
In a separate but related incident, 1Password users recently faced a different phishing scheme. Emails from ‘watchtower@eightninety[.]com’ falsely warned of account compromises. Clicking the provided link redirected users through Mandrillapp to a phishing domain, onepass-word[.]com, which prompted them to enter their master password.
Security experts emphasize that password manager companies will never ask for your master password. Users receiving such alerts should ignore the messages and instead log in directly through the official website to verify any security notices. Genuine security incidents are publicly announced via official company blogs and press releases, making it essential to confirm any warnings through these trusted channels.
In response to the campaign, Syncro has confirmed that malicious accounts were identified and disabled to prevent further agent installations. The company clarified that their platform was not breached; rather, criminals posed as a managed service provider to create an account for harmful purposes.
(Source: Bleeping Computer)
