LastPass Labs is the content hub for the Threat Intelligence, Mitigation and Escalations (TIME) team at LastPass. Our focus is in-depth analysis of the latest security developments, a keen eye toward forward-looking tech, and unique threat perspectives.
While ransomware may continue to dominate the headlines, an insidious form of malware known as infostealers (short for information-stealing malware) is actually far more common, impacting everything from major corporations to individual home computers. Infostealers target sensitive information on infected systems, including passwords, crypto wallets, session cookies, financial details, and other personal data for quick exfiltration back to the threat actor. Many infostealers are offered for sale as a “malware-as-a-service (MaaS),” in which criminals can purchase a subscription (often for several hundred dollars a month) for access to the malware for their own targeting and use, while maintenance and hosting of the malware remains in the hands of the developer offering it for sale. This helps lower the technological barrier to entry for cybercriminals, leading to the rapid expansion of infostealers as a broader cyber threat.How are victims infected?
Victims can be infected via several methods, including phishing emails, visiting an infected website, or through fraudulent apps. Once a computer or network has been infected, the malware will execute, seeking to rapidly identify and exfiltrate critical information (including, when possible, LastPass master passwords) from browsers and other important folders. Threat actors will then either use this data to gain access to sensitive accounts themselves, or repackage the information for sale on markets, forums, or other criminal sites. Prices currently average approximately $10 per log and there are millions of logs available for sale at any given time, demonstrating the widespread and commonplace nature of the infostealer threat. These logs include credentials and other sensitive information from victims ranging from multinational corporations to small businesses to individual personal accounts stolen from a home computer.What is LastPass doing about this?
To start, as part of our efforts to increase our security capabilities, LastPass has invested substantially in our cyber threat Intelligence program. This includes building a dedicated Threat Intelligence, Mitigation, and Escalation (TIME) team, greatly expanding our threat intelligence monitoring and alerting by leveraging open source and proprietary reporting, and proactively monitoring deep and dark web sources for malicious activity. We’re also operationalizing this intelligence by automating its integration with our detection and response and vulnerability management teams, allowing for a quicker mitigation time. Finally, we have developed a dedicated and focused process for monitoring for and alerting on exposed customer credentials for customers opting into dark web monitoring. As expected, master passwords are highly valued within the infostealer community given the potential to gain access to a customer’s vault and its sensitive data and passwords. While there are dozens of infostealers available, LastPass is tracking three malware strains that commonly advertise LastPass customer credentials for sale:- Redline: This MaaS stealer has been available since 2020 and is among the most common.
- Raccoon: Variations of this stealer have been available since 2019.
- Vidar: Available since at least 2018, this stealer is also able to take screenshots.
What steps can you take to protect your account?
We recommend that all LastPass users opt into our dark web monitoring program, which will provide an extra level of coverage. We will notify you if your credentials are found on the dark web. Additionally:- Use multifactor authentication (MFA) whenever it is an option to protect your accounts. Don’t accept or approve MFA requests that you didn’t explicitly generate.
- Don’t trust apps offered via non-traditional channels (e.g., other than traditional app stores).
- Use an antivirus program and update it regularly or, better yet, set it for automatic updates.
- Don’t save your master password on your device, even in browser-provided autofill options.