The Australian software company, known for the Passwordstate password manager, suffered a breach between April 20 and April 22, first detected and reported by CSIS Security Group. Researchers said they have possibly discovered the next big supply chain hack.
The report was published in an April 23 blog post, the firm provided digital evidence that ClickStudios suffered a breach during which the attacker dropped a corrupted update to Passwordstate that contained a dynamic link library and malicious code.
“The malicious code tries to contact [a URL] in order to retrieve an encrypted code. Once decrypted, the code is executed directly in memory,” the researchers wrote.
Moserpass, the malware in the update, connected to a command and control server to execute the next stage of the attack. CSIS found two malware samples that were used to develop indicators of compromise, but could not catch any second-stage payloads because the attackers’ server was shut down.
IOCs
Malicious dll:
f23f9c2aaf94147b2c5d4b39b56514cd67102d3293bdef85101e2c05ee1c3bf9
Moserware.SecretSplitter.dll
It is unclear how many Passwordstate users have downloaded the update. The company claims to have over 29,000 customers and 370,000 security and IT professionals worldwide. It is unknown who they are, either, since the company doesn’t disclose the names of its customers:
“As much as we would like to advertise all our customers on our web site we hope you can appreciate us honouring their wishes and keeping this information private and confidential.”
ON April 24, ClickStudios published advisory in which the company explains that only customers who performed In-Place upgrades may be affected by the breach:
Initial analysis indicates that a bad actor using sophisticated techniques compromised the In-Place Upgrade functionality. The initial compromise was made to the upgrade director located on Click Studios website www.clickstudios.com.au. The upgrade director points the In-Place Upgrade to the appropriate version of software located on the Content Distribution Network. The compromise existed for approximately 28 hours before it was closed down. Only customers that performed In-Place Upgrades between the times stated above are believed to be affected.
ClickStudios said password records of affected customers may have been harvested. If the attacker was successful in obtaining passwords this would mean we have another supply chain attack in addition to SolarWinds, Microsoft Exchange, Accellion, and Codecov.
The company recommends its customers who use Passwordstate to “reset all the stored passwords, and especially VPNs, Firewall, Switches, local accounts or any server passwords etc.”