Threat Response – Clickstudios Supply-chain Attack

26-04-2021

A SAFE DIGITAL JOURNEY

On April 24th[1], Clickstudios, the developer of PasswordState, communicated to their customers that a malicious update has been spread via their official channels. In this message, we want to warn you about the threat and inform you about the possible mitigation steps.

Description

Clickstudios has published details about a supply-chain attack which happened between 20 April 2021 until 22 April 2021. During this period, a malicious update has been spread via the ‘In-Place’ update mechanism, which is responsible for updating the Passwordstate installation.

A technical detailled description can be found on the following blog posts in [2] and [3].

Impact

The malicious update contains a DLL which has a backdoor placed in it that decrypts all passwords saved within PasswordState, after which they get transmitted to a server of the attackers.
Thus, we estimate the impact as high.

Risk

Because the malicious update has been spread via the official channels of Clickstudios we estimate the risk as high.

What should you do?

If your company uses the PasswordState software, Northwave strongly recommends to check if the ‘In-Place’ update functionality has been used in the period of 20 April 2021 until and including 22 April 2021.

Furthermore, a strong indication that you have been compromised by this supply-chain attack is to check the file size of ‘moserware.secretsplitter.dll’, which can be found in the folder: ‘C:\inetpub\passwordstate\bin\’ – a folder located on the Passwordstate server.
If the size of this file is 65kb, then it’s likely that your passwords have been compromised.

If there is an indication or suspicion that you have fallen victim to this supply-chain attack, Northwave strongly recommends to reach out to our CERT immediately.
This will result in a fast and adequate response to this potential threat.

What will Northwave do?

Northwave is also tracking developments on Indicators of Compromise (IoC’s). Whenever we find new IoC’s, we will add them to the Northwave Detection Platform.

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. If you need additional information you can call us by phone or send us an email.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1]: https://www.clickstudios.com.au/advisories/Incident_Management_Advisory-01-20210424.pdf

[2]: https://www.csis.dk/newsroom-blog-overview/2021/moserpass-supply-chain/

[3]: https://lordx64.medium.com/initial-analysis-of-passwordstate-supply-chain-attack-backdoor-code-aaff1df389e4

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.