Skip to main content
close search
site logo
Dive Brief

Passwordstate customers targeted with new round of phishing attacks

Published April 29, 2021
David Jones's headshot
Reporter
cyberattack, privacy, connection
Stock Photo via Getty Images

Dive Brief:

  • A malicious actor launched a round of phishing attacks against Passwordstate customers, after several organizations posted copies of correspondence on social media following last week's supply chain attack against the enterprise password management service, according to an update from Australia-based parent firm Click Studios. 
  • Click Studios warned customers not to post any of its correspondence online as a small number of customers had been attacked with emails pretending to be from the company. Click Studios said the threat actor behind the original attack is monitoring social media for any potential follow-on attacks against customers. 
  • The phishing email is asking customers to download a modified hotfix file, called Moserware.zip, which is from a content delivery network not controlled by Click Studios. The new attack employs a modified version of the malformed Moserware.SecretSplitter.dll, which uses an alternate site to load a payload file, according to Click Studios.

Dive Insight:

Researchers had feared a secondary attack might be in the works, based on activity observed since the original supply chain incident, according to Jan Kaastrup, CTO at CSIS Group. 

"Our investigation found out that there was indeed, in the Stage 2 of the payload, it was only related to data exfiltration," he said in an interview earlier this week. "But it also showed there could be other Stage 2 DLL's related. At least one more that we know about."

CSIS was originally contacted last week by several customers after they were notified of the attack by Click Studios. Kaastrup declined to provide any specific details on the customers. 

The attackers previously compromised an update for about 28 hours between April 20-22, installing a backdoor onto customer systems that upgraded over that period of time

It is not immediately clear exactly what the threat actor was planning in terms of a follow-on attack, but Click Studio officials said that customers are being monitored via social media in terms of how they react to the initial incident.

Passwordstate is used by more than 29,000 companies and other organizations worldwide and 370,000 security and IT professionals globally, according to a posting on the company website. 

The service is designed to let enterprise users securely access applications and other services and provides secure access to vendors and mobile users. The service has been used in a variety of verticals, including banking, government, defense industry, utilities and other sectors. 

GSATi, a Texas-based web commerce company, confirmed that it is a former customer of Passwordstate but migrated to a new 1Password several years ago; it was not impacted by last week's supply chain attack. Comments from the company are featured on the Passwordsite website.

"We are closely monitoring the situation and believe this highlights the importance of effective password management policies, including timely alerts of any potential security incidents to ensure users can quickly change and secure their data," the company said in an emailed statement. 

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Cyberattacks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell