- A malicious actor launched a round of phishing attacks against Passwordstate customers, after several organizations posted copies of correspondence on social media following last week's supply chain attack against the enterprise password management service, according to an update from Australia-based parent firm Click Studios.
- Click Studios warned customers not to post any of its correspondence online as a small number of customers had been attacked with emails pretending to be from the company. Click Studios said the threat actor behind the original attack is monitoring social media for any potential follow-on attacks against customers.
- The phishing email is asking customers to download a modified hotfix file, called Moserware.zip, which is from a content delivery network not controlled by Click Studios. The new attack employs a modified version of the malformed Moserware.SecretSplitter.dll, which uses an alternate site to load a payload file, according to Click Studios.
Researchers had feared a secondary attack might be in the works, based on activity observed since the original supply chain incident, according to Jan Kaastrup, CTO at CSIS Group.
"Our investigation found out that there was indeed, in the Stage 2 of the payload, it was only related to data exfiltration," he said in an interview earlier this week. "But it also showed there could be other Stage 2 DLL's related. At least one more that we know about."
CSIS was originally contacted last week by several customers after they were notified of the attack by Click Studios. Kaastrup declined to provide any specific details on the customers.
The attackers previously compromised an update for about 28 hours between April 20-22, installing a backdoor onto customer systems that upgraded over that period of time.
It is not immediately clear exactly what the threat actor was planning in terms of a follow-on attack, but Click Studio officials said that customers are being monitored via social media in terms of how they react to the initial incident.
Passwordstate is used by more than 29,000 companies and other organizations worldwide and 370,000 security and IT professionals globally, according to a posting on the company website.
The service is designed to let enterprise users securely access applications and other services and provides secure access to vendors and mobile users. The service has been used in a variety of verticals, including banking, government, defense industry, utilities and other sectors.
GSATi, a Texas-based web commerce company, confirmed that it is a former customer of Passwordstate but migrated to a new 1Password several years ago; it was not impacted by last week's supply chain attack. Comments from the company are featured on the Passwordsite website.
"We are closely monitoring the situation and believe this highlights the importance of effective password management policies, including timely alerts of any potential security incidents to ensure users can quickly change and secure their data," the company said in an emailed statement.