Researchers at CSIS Security Group claim they have discovered what they think might be the next big supply chain hack.
In an April 23 blog, the firm claimed to have digital evidence that Australian company ClickStudios suffered a breach, sometime between April 20 and April 22, which resulted in the attacker dropping a corrupted update to its password manager Passwordstate. A zip file contained a dynamic link library with the malicious code, according to the blog.
“The malicious code tries to contact [a URL] in order to retrieve a encrypted code. Once decrypted, the code is executed directly in memory,” the researchers write.
The associated malware dubbed Moserpass – which was in the file name of a malicious dll found by researchers – called out to a command and control server to execute the next stage of the attack. However, that server went down before CSIS Security Group could grab and examine any second-stage malware that might have been used in follow up operations.
Follow on analysis by Juan Andres Guerrero-Saade, a principal security analyst at SentinelOne, found the lines of code added by the attackers were trivial and hard to miss, totaling just 4 kilobytes of data.
“At a glance, the Loader has functionality to pull a next stage payload from the [command and control server], Guerrero-Saade wrote on Twitter. “There’s also code to parse the ‘PasswordState’ vault’s global settings (Proxy UserName/Password, etc).”
The researchers do not know how many users of Passwordstate might have downloaded the update, and ClickStudios could not be reached for comment through phone or email at press time. The company does not publicly list specific customers on their website, citing security reasons, but does claim to serve over 29,000 customers and 370,000 security and IT professionals across different countries and industries worldwide. The company also notes that Passwordstate can be used by individuals and companies to access and share “sensitive password resources.”
“At Click Studios we take the privacy of our customers very seriously. Many have expressed they wish to keep private that they have selected Passwordstate to protect their credentials,” a disclaimer on the company’s customer page reads. “As much as we would like to advertise all our customers on our web site we hope you can appreciate us honouring their wishes and keeping this information private and confidential.”
If customers were compromised, it follows a wave of other damaging software supply chain hacks discovered in the last four months. SolarWinds, Microsoft Exchange, Accellion and Codecov all reported breaches by hacking groups who appeared to be specifically targeting them as a means to compromise downstream customers.
While such hacks are becoming more common and can expose hundreds or even thousands of customers to potential compromise, much can depend on how the affected company or supply chain partners set up their own internal network defense. Some, like the SolarWinds campaign, did widespread damage but were also found to have compromised a fraction of the thousands of companies that downloaded corrupted versions of Orion software.
CSIS researchers found at least two malware samples that were used to develop indicators of compromise and say they expect to find more in the coming variants beaconing to different command and control servers in the coming weeks. SC Media has reached out to the company for more detail on the attack and customer impact.
This is a developing story. Check back for updates.