Skip to content
CybersecurityExplore Symphony's Tech Universe

Customer accounts at Passwordstate hit by escalating series of phishing attempts

Unauthorized email urges Click Studios' customers to download an unreliable update file named Moserware.zip from a delivery network not managed by Click Studios.

 and  Administrator
2 min read
Phishing attacks aim at Passwordstate customers, launching a freshwave of cyber threats
Phishing attacks aim at Passwordstate customers, launching a freshwave of cyber threats

Customer accounts at Passwordstate hit by escalating series of phishing attempts

Last week, a supply chain attack was revealed to have targeted Passwordstate, an enterprise password management service used by over 29,000 companies and organizations worldwide. The news comes following a series of phishing attacks against Passwordstate customers.

The attack was first reported by several customers to CSIS, the cybersecurity firm originally contacted by these customers after they were notified of the attack by Click Studios, the parent firm of Passwordstate. Jan Kaastrup, CTO of CSIS Group, declined to provide specific details on the affected customers.

The attack employed a modified version of the malformed Moserware.SecretSplitter.dll, a component of Passwordstate. This modified version uses an alternate site to load a payload file. According to Kaastrup, the Stage 2 of the payload is related to data exfiltration.

The backdoor was installed on customer systems over a period of 28 hours between April 20-22, as part of the supply chain attack. Kaastrup's investigation found that there could be other Stage 2 DLL's related, at least one more that they know about. However, the other Stage 2 DLL announced by Kaastrup has not been publicly named.

In response to the attack, Click Studios warned customers not to post any of its correspondence online as a small number of customers had been attacked with emails pretending to be from the company. The phishing email asks customers to download a modified hotfix file, called Moserware.zip, which is from a content delivery network not controlled by Click Studios.

GSATi, a Texas-based web commerce company, was a former customer of Passwordstate but has since migrated to 1Password. GSATi emphasizes the importance of effective password management policies, including timely alerts of potential security incidents.

Researchers had feared a secondary attack might be in the works, based on activity observed since the original supply chain incident. Despite the attack, Passwordstate continues to be used in various verticals, including banking, government, defense industry, utilities, and other sectors.

It is currently unknown who perpetrated the attack. CSIS and Click Studios are continuing their investigations to identify the malicious actor and to protect affected customers.

Read also:

Related

Latest