Malware More Often Targeting Password Managers

Not surprisingly, malware is starting to target password managers more often. What does it mean for password manager users? Should they still use password managers even though they represent a critical single-point-of-failure, where one compromise and every stored password is likely to be compromised?

Yes, and let’s discuss why.

Although password managers have been around for decades, they are only now really starting to pick up steam. The password manager global market value was calculated as under $2B in 2022, but expected to be a $6B-$7.8B market in the coming years (https://www.persistencemarketresearch.com/market-research/password-management-software-market.asp and https://www.globenewswire.com/news-release/2022/10/06/2529747/0/en/Password-Management-Market-to-Hit-Sales-of-7-09-Billion-by-2028-LastPass-1Password-and-Dashlane-are-Leading-the-Market.html). Many long-time cybersecurity experts now use and recommend using password managers.

KnowBe4 has been recommending password managers for years, including in our Password Policy ebook (https://info.knowbe4.com/wp-password-policy-should-be) released last year. Password managers make it easy to create and use strong passwords that are unique for every site (and service, application, etc.).

A password manager stores all your passwords in what is often called a vault. A vault is usually just a regular computer file, but it can be a database file or a few other formats. The file is usually stored on the device where the password manager is installed, but on some password managers, the vault can be located somewhere else (e.g., removable media, etc.).?Stored passwords may be replicated to other non-local storage areas, such as at the vendor’s site or a cloud storage. No matter how a password manager stores the passwords, they are all accessible from the program.

If a password manager gets compromised, then an attacker has the ability to access all the stored passwords all at once, instead of perhaps only learning one or a few passwords right away (using observation or keylogging trojans) as the user types them in. Password managers have always been hotly debated between practitioners over whether they are worth the risk. Are the big risks they offset (e.g., weak and reused passwords) worth the potentially catastrophic single-point-of-failure risk? Both KnowBe4 and me are pro-password manager and have answered, “Yes”, many times including here: https://blog.knowbe4.com/password-managers-can-be-hacked.

If you are interested in the different types of attacks and risks associated with password managers, watch my KnowBe4 webinar on the subject: https://info.knowbe4.com/truth-about-password-managers

It has been widely anticipated by cybersecurity experts that as password managers become more popular, hackers and the malware creations they create, would more often target password managers. It is no surprise. Hackers always target what becomes more popular. This appears to be happening in a significant way right now. Mark early 2023 as the year when more password managers started to be targeted much more often.

Malware Targeting Password Managers

Malware targeting password managers is nothing new. In 2014, the Citadel trojan, which was estimated to have exploited one in every 500 PCs worldwide, keylogged password manager master passwords as users typed them in to open their password managers (https://www.bankinfosecurity.com/malware-targets-password-managers-a-7602).

So even nearly a decade ago, a whole lot of PCs had password manager-targeting malware, but only 1% of users employed password managers back then. And even then, the malware did not automatically steal all the passwords stored in the targeted password manager. The malware simply stole the master password to the password manager, which the hacker could then use later on if they wanted to.

But the rising popularity of password managers started in 2022, and is changing the default nature of password stealing trojans, causing them to evolve. We are seeing more password stealing trojans directly targeting password managers and it is popular enough to even show up in Google ads. In this 2023 attack (https://www.bleepingcomputer.com/news/security/bitwarden-password-vaults-targeted-in-google-ads-phishing-attack/), malicious Google ads tried to social engineer Bitwarden password manager users into revealing their master passwords on fake websites. Other malicious ads targeted 1Password users (https://twitter.com/malwrhunterteam/status/1618721906114572290) by using the same social engineering trick.

But that is simply traditional password social engineering, which has been going on since the beginning of the Internet. The more interesting malware programs are trojans which target the locally installed password manager software itself. Malware that targeted password manager software directly started first by only targeting one or a few popular password managers.

For example, Arkei Infostealer (https://blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer) targeted only a single password manager, Treznor (along with some MFA options). Racoon Stealer (available since 2019) was recently updated to target two password managers: Bitwarden and 1Password (https://www.bitdefender.com/files/News/CaseStudies/study/417/Bitdefender-PR-Whitepaper-Raccoon-creat6205-en-EN.pdf).

But increasingly, first starting in 2022 and accelerating more in 2023, malware is more directly targeting far more password managers. For example, the Stealc information stealing trojan (https://siliconangle.com/2023/02/21/new-stealc-information-stealing-malware-grows-popularity-dark-web/) is targeting 13 different password managers:

·????????Bitwarden

·????????BrowserPass

·????????CommonKey

·????????Dashlane

·????????KeePassXC

·????????Keeper

·????????LastPass

·????????MYKI

·????????NordPass

·????????RoboForm

·????????Splikity

·????????Trezor

·????????Zoho Vault

Not to be outdone, the Luca Stealer trojan (https://blogs.blackberry.com/en/2022/08/luca-stealer-targets-password-managers-and-cryptocurrency-wallets) looks for 17 different password managers:

·????????1Password

·????????Avira

·????????Bitwarden

·????????BrowserPass

·????????CommonKey

·????????Dashlane

·????????EOS Auth

·????????KeePassXC

·????????Keeper

·????????LastPass

·????????MYKI

·????????NordPass

·????????Norton

·????????RoboForm

·????????Splikity

·????????Trezor

·????????Zoho Vault

Still, these password manager-targeting trojans are not getting all of your stored passwords all at once. All of these password manager-targeting trojans work by eavesdropping on the password manager’s browser extension in action, meaning the trojans intercept passwords as they are used by the user who is utilizing the password manager. Passwords are stolen one-at-a-time as the user uses them and not all the stored passwords are gone at once. I still have not seen the password manager-targeting trojan that looks for the actual password manager, steals or bypasses its master password, and then exports all the stored passwords at once. But surely, it is coming.

Note: If you know of existing malware that automatically steals all passwords from a password manager, please me know. I could have missed one.

While this post is focusing on stand-alone password manager programs, browsers, which store passwords for users to assist with automated logins, have been a popular target for malware attacks for far more years than trojans that target password managers. Today, almost all password-stealing malware, hundreds of families, targets passwords stored in browsers. Whereas, we have likely only got a handful or two of malware families that directly target password managers. This is one of the reasons we have recommended standalone password managers over operating system-based and browser-based password managers (https://www.dhirubhai.net/pulse/browser-based-vs-os-based-standalone-password-managers-roger-grimes/).

In a sense, malware that “only” steals using keylogging as the user types in their password and/or from browsers can be thought of as the traditional, default method that most password stealing trojans use to get people’s passwords. There are literally tens of thousands of malware programs that target extracting passwords from browsers. An example of browser-based password stealers include: https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-passwords-shouldnt-be-saved-in-browsers/ and https://blog.cyble.com/2021/10/26/vidar-stealer-under-the-lens-a-deep-dive-analysis/. While this post focuses on password manager-targeting malware, the warnings and many of the recommended defenses below apply to browser-based password managers as well.

If you are interested in learning how many of your end users store their passwords in their browsers, use KnowBe4’s free Browser Password Inspector (https://www.knowbe4.com/browser-password-inspector) tool.

Also, be aware, many malware programs also readily harvest any information copied to an operating system clipboard, such as many password manager users do when copying and pasting passwords from a password manager to a login screen (if the password manager does not have auto-fill capabilities or does not work with a particular login screen).

Key Takeaway

The key takeaway of this post is that there are more malware programs directly targeting more password managers. But most password-stealing malware targets passwords as users type in or use them or focus on exporting passwords stored in browsers, and those are still the dominant forms.

The trend of malware that targets password managers will only continue to rise over time, as more and more users start to use them. Expect all the traditional password-stealing malware that used to only key log or steal passwords from browsers to expand into stealing passwords from password managers. All traditional password stealing trojans will have to pick up this functionality or be left behind by the competition. We will eventually see (more) malware that attacks and exports all passwords stored in password managers all at once.

Should You Still Use a Password Manager?

Yes! The huge risks that password managers mitigate (that of weak and/or shared passwords) far outweigh the risk of a user’s password manager being compromised. Yes, we are seeing more password manager-targeting malware, but the way in which the malware compromises password managers would be equally harmful to the user even if no password manager were used.

Almost all password-stealing trojans, of which there are many, require that the user’s desktop be “locally” compromised, and in most cases, the user’s browser also be compromised. The malware then records passwords as the user uses them. This keylogging functionality is usually identical regardless of whether a password manager is involved or not. The risk of the user’s individual password being stolen as the user uses it is the same whether a password manager is used or not. And if the user is using a password manager, at least they are mitigating the two bigger risks of using a password (i.e., weak and shared passwords).

While it is true that automated password-stealing malware steals passwords, one-at-a-time, as they are used by the user, is it not true that a hacker, in real-time, could compromise the entire password manager and extract all the stored password at once?

Yes. But the number of manual password-stealing hackers is a tiny fraction of what is stolen by automated password trojans every day. And in any case, a hacker or their malware could simply keylog all passwords used by the user over time and get all of them anyway. This is true whether the user is using a password manager or not.

There is an increased risk that a manual hacker could extract all stored passwords all at once over and beyond what automated malware currently does, but again, manual, human adversaries are but a fraction as compared to the automated stuff. And the hacker can only extract the passwords if your password manager is open and unlocked, further mitigating the risk.

Defenses Against Password Manager-Targeting Malware

The clear number one answer is do not get socially engineered into installing a password-stealing trojan. Nearly all password stealing trojans get installed by an end user getting tricked into running something they should not have opened or executed. Seventy to ninety percent of all successful hacking happens because of social engineering. Do not get tricked into installing trojan horse programs and the odds of your computer having a password-stealing trojan activated are greatly reduced.

If you are interested in how to do everything possible to stop social engineering, see this ebook: https://blog.knowbe4.com/new-e-book-comprehensive-anti-phishing-guide.

The second most likely way you are to end up with a password-stealing trojan on your computer (and it is a distant second) is due to unpatched software. Make sure you check for and install all critical patches, especially if the vulnerability appears on CISA’s Known Exploited Vulnerability Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog). That is the software and firmware bugs being used by real-world attackers against real-world companies. That high-risk software matters the most. Make sure you patch it.

Use phishing-resistant MFA or passwordless options when and where you can. This is not only to protect your password manager (instead of using a master password), but use it on all your most important sites and services. Unfortunately, if you added up all the possible MFA and passwordless authentication solutions all together, they could not be used on over 2% of the world’s websites and services.

So, you are going to need to use passwords. Use a good password manager, with a vendor that has a true commitment to security to create and use strong passwords. You are far more likely to get compromised by using weak or shared passwords (the number three reason why computers are compromised) than because you used a password manager. And if your computer gets compromised by a trojan horse program, whether you do or do not use a password manager is not going to matter. So, use a password manager to mitigate the two biggest risks of using passwords (i.e., weak and/or shared passwords).