Click Studios, the
Australian software firm which confirmed a supply chain attack affecting its Passwordstate password
management application, has warned customers of an ongoing phishing attack by
an unknown threat actor.
"We have
been advised a bad actor has commenced a phishing attack with a small number of
customers having received emails requesting urgent action," the company said in an updated advisory released on Wednesday.
"These emails are not sent by Click Studios."
Last week, Click Studios said attackers had employed
sophisticated techniques to compromise Passwordstate's update mechanism, using
it to drop malware on user computers. Only customers who performed In-Place
Upgrades between April 20, 8:33 PM UTC, and April 22, 0:30 AM UTC are said to
be affected.
While Passwordstate serves about 29,000 customers, the
Adelaide-based firm maintained that the total number of impacted customers is
very low. It's also urging users to refrain from posting correspondence from
the company on social media, stating the actor behind the breach is actively
monitoring such platforms for information pertaining to the attack in order to
exploit it to their advantage for carrying out related intrusions.
The original attack was carried out via a trojanized
Passwordstate update file containing a modified DLL
("moserware.secretsplitter.dll") that, in turn, extracted retrieved a
second-stage payload from a remote server so as to extract sensitive
information from compromised systems. As a countermeasure, Click Studios
released a hotfix package named "Moserware.zip'' to help customers remove
the tampered DLL and advised affected users to reset all passwords stored in
the password manager.
The newly spotted phishing attack involves crafting seemingly
legitimate email messages that "replicate Click Studios email
content" — based on the emails that were shared by customers on social
media — to push a new variant of the malware.
"The phishing attack is requesting customers to download a
modified hotfix Moserware.zip file, from a CDN Network not controlled by Click
Studios, that now appears to have been taken down," the company said.
"Initial analysis indicates this has a newly modified version of the
malformed Moserware.SecretSplitter.dll, that on loading then attempts to use an
alternate site to obtain the payload file."
The Passwordstate hack is the latest high-profile supply-chain
attack to come to light in recent months, highlighting how sophisticated threat
groups are targeting software built by third parties as a stepping-stone to
break into sensitive government and corporate computer networks.
Comments
Post a Comment