Updated January 23 with further analysis from the LastPass Threat Intelligence, Mitigation, and Escalation team as the suspected actors behind the ongoing master password attacks evolve the campaign.
As password hacking attacks continue to compromise accounts across multiple platforms and services, the most repeated advice is to use a password manager to create and store credentials more securely. But what if the password manager comes under attack? Millions of users of one of the biggest password managers, LastPass, have been warned that an ongoing attack that began on January 19 is targeting them. Here’s what you need to know and do.
LastPass Threat Intelligence, Mitigation, And Escalation Team Issues Critical Security Warning For All Users
Threats to your account credentials come in many forms, from a myriad of info-stealing malware, to barely credible but hugely dangerous hack-your-own-password attacks. The most commonplace and the most concerning, as a consequence, come by way of phishing campaigns.
It is one such new and ongoing campaign that has prompted the LastPass Threat Intelligence, Mitigation, and Escalation team to issue a critical security alert that millions of password manager users would be well-advised to take note of.
The TIME team, which doesn’t include Baldrick of Blackadder fame before readers of a certain age ask, has warned that the attacks, that started on January 19, make a claim “that LastPass is about to conduct maintenance and urging users to backup their vaults in the next 24 hours.” This displays the typical tactic of bringing time-based pressure to leverage action from the recipient, in this case, to click a backup now button that would actually kickstart a process of stealing account credentials.
“Please remember that no one at LastPass will ever ask for your master password,” the LastPass warning stated, before advising any users who are unsure if a LastPass-branded email is legitimate or not to “submit it to abuse@lastpass.com.”
Updated: The Latest LastPass Threat Intelligence Concerning The Master Password Attack Campaign
The LastPass Threat Intelligence, Mitigation, and Escalation team is doing a first-class job of keeping on top of the master password compromise attack campaign, and has now updated its intel. The update, published January 22, confirmed: “The suspected threat actors behind this campaign have sent another wave of phishing emails using similar tactics. The body of the email remains the same, but the links have been changed following LastPass’ disruption of their initial infrastructure in conjunction with our partners. We also found other domains registered, likely by this threat actor given the use of similar procedures, that indicate a broader infrastructure that may be used or have been used in this and/or other phishing campaigns.” The updated list of indicators of compromise, along with URLs and associated IPs, can be found in the report as linked above.
“While this is always a best practice,” a LastPass TIME spokesperson said, “we recommend you confirm any email claiming to be from LastPass are coming from legitimate LastPass email domains as this campaign is ongoing.”
LastPass Master Password Targeted In New Attack Campaign
“This attack is very similar to your average Credential Phishing attack,” Chance Caldwell, senior director of the Phishing Defense Center at Cofense, said, “but unlike many phishing scams that target single accounts, this one focuses on a password manager’s master login.” If attackers collect this, they could gain access to virtually every login and secret stored in the vault, Caldwell warned, adding that attacks such as these can be very successful due to the use of legitimate branding, look-alike domains, having a task with a time limit, and exploiting what could be a real feature in the request to backup data. “Users should be trained to never enter their master password into a site reached via an emailed link and to contact a company through a separate source to verify the authenticity of a request if needed.”
The Cofense cyber intelligence manager, Max Gannon, told me that while users of any password management software need to be vigilant for attacks spoofing their provider, “this goes doubly for LastPass users who have been targeted several times by particularly well-developed phishing campaigns.”
“This campaign is designed to create a false sense of urgency, which is one of the most common and effective tactics we see in phishing attacks,” a LastPass Threat Intelligence, Mitigation, and Escalation team spokesperson said. “We want customers and the broader security community to be aware that LastPass will never ask for their master password or demand immediate action under a tight deadline. We thank our customers for staying vigilant and continuing to report suspicious activity.”