How should we protect 1Password from the Meduza Stealer?
The following link is to an article listing 1Password as a target for the Meduza Stealer.
This article was published by TechRepublic on July 6 2023. It points out that:
"The malware specifically targets extensions associated with two-factor authentication and password managers with the intention of extracting data; these extensions possess significant information and may contain vulnerabilities. Through gaining access to 2FA codes or exploiting weaknesses in password manager extensions, the attacker might be able to evade security protocols and achieve unauthorized access to user accounts."
Are there any suggestions on how to deal with this?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
This is very concerning and hopefully a patch is in the works. I am using version 8.10 of 1password.
0 -
Hi there @phawtrey
Some version of this has been mentioned before (and most likely by me), but it's worth repeating here: If there's malware on your system, all bets are off. That is to say, 1Password can't be any more secure than the system it runs on if malware undermines that security.
The best defence against anything like Meduza, by and large, is vigilance. By avoiding infection in the first place, we don't have to worry about remediation, just like with human healthcare.
Technical solutions to malware are all well and good (and are definitely useful!), but humans remain the weak leak in the chain, and might still for some reason decide to override a warning issued by their system that what they're doing is unsafe. People, ultimately, are the ones who make mistakes.
If we (users) exercise the typical caution while browsing the web, we're unlikely to download, install, and run anything harmful. There are things that help with this, like your browser's built-in safe browsing system, which might well stop you before you even get to a dangerous website. Some browsers like Chrome also offer enhanced safe browsing which takes things a step further.
Even if that fails, your computer's built-in anti-malware system, like Microsoft Defender, will probably catch it and stop it (as long as its definitions have been allowed to update regularly). If you have additional protection from something else like an anti-virus suite, then that might well catch it if Microsoft Defender didn't, for example.
Similarly, if you received something like this in an email, your email provider would most likely be checking attachments for malware, and would screen any links in emails to let you know if they're unsafe or not.
That Tech Republic article mentions:
It’s highly suspected that Meduza Stealer is spread via the usual methods used for information stealers, such as compromised websites spreading the malware and phishing emails.
"Highly suspected" doesn't mean "known", so we have to be cautious about our assumptions here, but if that's true, then the points above about being vigilant and having the standard security posture in place will likely apply.
Hope that helps, but let me know if you have any questions. :)
— Grey
0 -
Thank you, Grey. You give sound advice. I added a firewall to my system in addition to malware detection on each computer, which is probably more than most of us need, but it does add another layer of protection. I did not quite understand the note about how "The malware specifically targets extensions". But clearly, if it is well known it should be easily blocked by common malware.
0 -
I added a firewall to my system in addition [...] which is probably more than most of us need
Both macOS and Windows come with their own built-in firewalls, and they cause very little friction (if any) by being turned on. I only ever had trouble previously when I tried to remotely connect to my home Mac and forgot to allow an incoming connection for that - no-one to blame but me for that, and it's probably not something that a lot of users will do.
Firewalls will protect from outside connections to your computer, and they absolutely have our thanks for that, but in these days of phishing emails, scam websites, and so on, other vectors are worth bearing in mind. To put it another way, why sticky-tape a message around a brick and throw it through someone's window, when you could just neatly place in an envelope, and slip it through their front door? Different route, but ultimately the same result. One will make someone realise they're under attack, and the other might just be seen as junk mail. That's a bad example, but the point still stands. Nowadays, malware is more like a vampire – it can't just come in without being invited, so it tries its hardest to make you do that.
I did not quite understand the note about how "The malware specifically targets extensions"
Browser extensions run code, just like any other app. They just so happen to do that within the environment of the parent browser. So in this case, it seems like Meduza isn't targetting any particular browser (probably since those are regularly updated and generally well-armoured) but rather the "juicier" contents of specific extensions, if they can get away with it.
But clearly, if it is well known it should be easily blocked
My casual armchair analysis of this shows that there's pretty good awareness of this in the security community, but it looks like no actual attacks have taken place as of time of writing. So although it's absolutely not just a theoretical attack, it also hasn't happened yet, so I'd be surprised if it'll just sneak past defences if it does appear in the wild.
As with a lot of things in the security world, the standard approach of "Don't panic, but do pay attention" generally serves us well.
You give sound advice
Thank you! :) The team and I will be here if you need anything.
0
