Fake 'Data Breach' Alerts Target LastPass and Bitwarden Users, Leading to Malware Installation
Fake 'Data Breach' Alerts Target LastPass and Bitwarden Users, Leading to Malware Installation
Fake 'Data Breach' Alerts Target LastPass and Bitwarden Users, Leading to Malware Installation
Information:
Since October 13, 2025, there have been reports of cyberattacks in which hackers used phishing tactics through fraudulent emails impersonating well-known password manager companies, LastPass and Bitwarden. The goal of these attacks is to trick users into downloading malware-laden programs that allow remote control of their computers.
Incident:
The phishing campaign sends emails designed to look like they are from "LastPassPulse" or "BitwardenBroadcast." The content claims that a security vulnerability has been discovered in the user's current version of the software and urges them to download a new version to prevent a data breach.When the victim is tricked and downloads the installation file, the installer secretly installs remote control software, such as Syncro MSP. This, in turn, installs a "ScreenConnect" service, allowing the hacker to remotely connect to the target's computer. From there, they can deploy additional malware payloads, steal data, and potentially gain access to the user's password vault via saved credentials.
This campaign focuses on attacking during holidays to evade detection from system administrators and targets general users.
Incident:
These phishing emails typically include malicious attachments and attempt to obtain personal information or passwords. A previous campaign with similar characteristics also targeted 1Password users by using the same pretext.
However, LastPass confirmed that the company was not hacked or breached in any way, and this campaign is merely a social engineering tactic from malicious actors.
Recommendation:
- If you receive an email claiming a data breach or alerting you to a security issue, please verify the email's credibility, for instance, by checking the sender's email address.
- If the email asks for your Master Password to verify information, absolutely do not provide it—whether via email, text message, or phone, under any circumstances.
- Follow official channels for important news or actual security incidents, which will always be announced on the company's official blog or social media accounts.
The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
061 387 9439 (Ms.Sirilak)
092 257 6902 (Ms.Narusorn)
063 197 7510 (Mr.Yanotai)
065 725 7405 (Ms.Nattharini)
References :
- https://www.bleepingcomputer.com/news/security/fake-lastpass-bitwarden-breach-alerts-lead-to-pc-hijacks/
- https://cyberinsider.com/lastpass-warns-of-impersonation-attacks-using-fake-breach-alerts/
Weekly Interesting CVE
| NO. |
CVE Name |
Published Date |
Last Update |
Device/Appplication/OS Target |
Attack Type |
CVSS |
Detail |
Solution |
Reference |
|---|---|---|---|---|---|---|---|---|---|
| 1 |
CVE-2025-61882 |
5/10/2025 |
7/10/2025 |
Oracle E-Business Suite (EBS) |
Remote Code Execution (RCE) |
9.8 |
This Security Alert addresses vulnerability CVE-2025-61882 in Oracle E-Business Suite. This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in remote code execution. |
Administrators must immediately apply the vendor-supplied security update for Oracle E-Business Suite (e.g., versions newer than 12.2.14). Due to active exploitation, this must be treated as an emergency patch. |
https://www.oracle.com/security-alerts/alert-cve-2025-61882.html |
| 2 |
CVE-2025-4615 |
9/10/2025 |
9/10/2025 |
Palo Alto Networks PAN-OS |
Command Injection |
7 |
An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and execute arbitrary commands. |
Upgrade PAN-OS: Upgrade the PAN-OS system to the fixed versions released by Palo Alto Networks, such as versions 10.2.17, 11.1.11, 11.2.8, or newer. |
|
| 3 |
CVE-2025-54379 |
10/10/2025 |
10/10/2025 |
LF Edge eKuiper in versions before 2.2.1 |
SQL Injection |
9.8 |
LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. In versions before 2.2.1, there is a critical SQL Injection vulnerability in the getLast API functionality of the eKuiper project. This flaw allows unauthenticated remote attackers to execute arbitrary SQL statements on the underlying SQLite database by manipulating the table name input in an API request. Exploitation can lead to data theft, corruption, or deletion, and full database compromise. |
update to version 2.2.1 |
https://app.opencve.io/cve/CVE-2025-54379
|
| 4 |
CVE-2025-23282 |
10/10/2025 |
10/10/2025 |
NVIDIA Display Driver for Linux |
Code execution, escalation of privileges, data tampering, denial of service, information disclosure |
7.0 |
NVIDIA Display Driver for Linux contains a vulnerability where an attacker might be able to use a race condition to escalate privileges. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure |
NVIDIA has released security updates for each branch of drivers. |
|
| 5 |
CVE-2025-10585 |
9/10/2025 |
9/10/2025 |
Google Chrome prior to 140.0.7339.185 |
Code execution |
9.8 |
Type confusion in V8 in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
Google Chrome has released an update to version 140.0.7339.186. |
https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html |
Malware News or Campaign IOC/IOA | EN
|
No |
Campaign Name |
Detection Date |
Attack Type |
Description |
Mitigation/Remediation |
|---|---|---|---|---|---|
| 1 |
Microsoft Locks Down IE Mode |
13/10/2025 |
Social Engineering, Remote Code Execution (RCE) |
Microsoft has announced a major update to its Microsoft Edge browser to “lock down” or limit access to its Internet Explorer Mode (IE Mode) feature after hackers exploited a vulnerability in the feature to attack and infiltrate victims’ systems. According to The Hacker News, the attack begins by tricking users into visiting a seemingly legitimate website. A button or message prompts them to “Open the page in IE Mode,” causing the website to load through Internet Explorer’s Chakra engine, which is embedded in Edge to support legacy websites. When the user is tricked into opening the page, the vulnerability in the Chakra engine is used to remotely execute malicious code (RCE) directly on the victim’s machine. The attacker then uses other vulnerabilities to escalate privileges from a normal user to a system-level one, enabling the installation of backdoors or complete control of the machine. In some cases, this has been used as a starting point to infiltrate corporate networks. IE Mode is designed to ensure that organizations still have legacy web apps developed during the Internet Explorer era. However, this feature is highly vulnerable because it does not fully utilize Edge’s modern security mechanisms, such as sandboxing or process isolation, making it “Retrospective channels” that attackers can use to circumvent defenses |
|
Ref: Microsoft Locks Down IE Mode After Hackers Turned Legacy Feature Into Backdoor
21 October 2025
Viewed 900 time
