Passwordstate Warns of Ongoing Phishing Attacks Following Data Breach

Click Studios, the Australian software firm which confirmed a supply chain attack affecting its Passwordstate password management application, has warned customers of an ongoing phishing attack by an unknown threat actor.

“We have been advised a bad actor has commenced a phishing attack with a small number of customers having received emails requesting urgent action,” the company said in an updated advisory released on Wednesday. “These emails are not sent by Click Studios.”

Last week, Click Studios said attackers had employed sophisticated techniques to compromise Passwordstate’s update mechanism, using it to drop malware on user computers. Only customers who performed In-Place Upgrades between April 20, 8:33 PM UTC, and April 22, 0:30 AM UTC are said to be affected.

While Passwordstate serves about 29,000 customers, the Adelaide-based firm maintained that the total number of impacted customers is very low. It’s also urging users to refrain from posting correspondence from the company on social media, stating the actor behind the breach is actively monitoring such platforms for information pertaining to the attack in order to exploit it to their advantage for carrying out related intrusions.

The original attack was carried out via a trojanized Passwordstate update file containing a modified DLL (“moserware.secretsplitter.dll”) that, in turn, extracted retrieved a second-stage payload from a remote server so as to extract sensitive information from compromised systems. As a countermeasure, Click Studios released a hotfix package named “Moserware.zip” to help customers remove the tampered DLL and advised affected users to reset all passwords stored in the password manager.

The newly spotted phishing attack involves crafting seemingly legitimate email messages that “replicate Click Studios email content” — based on the emails that were shared by customers on social media — to push a new variant of the malware.

“The phishing attack is requesting customers to download a modified hotfix Moserware.zip file, from a CDN Network not controlled by Click Studios, that now appears to have been taken down,” the company said. “Initial analysis indicates this has a newly modified version of the malformed Moserware.SecretSplitter.dll, that on loading then attempts to use an alternate site to obtain the payload file.”

The Passwordstate hack is the latest high-profile supply-chain attack to come to light in recent months, highlighting how sophisticated threat groups are targeting software built by third parties as a stepping-stone to break into sensitive government and corporate computer networks.