Click Studios, makers of the Passwordstate enterprise password manager, has notified customers that attackers have compromised the app’s update process mechanism to deliver malware in a supply-chain attack after breaching its networks. A security researcher notes that Click Studios’ notification email to customers states that malicious upgrades were potentially downloaded by customers between April 20 and April 22. Users are warned to reset their passwords.

Experts Comments

April 27, 2021
Tom Garrubba
Senior Director and CISO
Shared Assessments

Attacks to payload distribution mechanisms are starting to become more commonplace despite the difficulty in executing such an attack (the recent SolarWinds breach is another great example of such an attack). These kind of threat actors appear much more predatory by showing greater patience in planning, penetrating their target, and then shadowing and studying the target’s internal machinations – in this case, their code promotion to customers. By identifying Click Studio’s flaws then

.....Read More

Attacks to payload distribution mechanisms are starting to become more commonplace despite the difficulty in executing such an attack (the recent SolarWinds breach is another great example of such an attack). These kind of threat actors appear much more predatory by showing greater patience in planning, penetrating their target, and then shadowing and studying the target’s internal machinations – in this case, their code promotion to customers. By identifying Click Studio’s flaws then waiting precisely for the right moment to roll out their malicious code, the threat actor’s ensured maximum distribution.

 

Vendors are not only encouraged to continuously evaluate and monitor their networking and systems controls – including those which promote code updates - but also to evaluate the security around their entire code promotion practices up to and including their distribution methods. Outsourcers are strongly encouraged to have a discussion and to even gain evidence that their vendors are practicing good cyber hygiene including code promotion and distribution.

  Read Less
April 27, 2021
Baber Amin
COO
Veridium

Have password? Get hacked. The fact is that in authentication, zero passwords = increased security.

 

   ‘Supply chain attacks are prime targets because they offer a multiplier effect. Passwords and other static knowledge-based verification methods are archaic, but it is hard to get rid of them completely. The goal THAT all organizations should be going for is to reduce their password related threat surface or footprint with a modern passwordless approach combined with biometrics and

.....Read More

Have password? Get hacked. The fact is that in authentication, zero passwords = increased security.

 

   ‘Supply chain attacks are prime targets because they offer a multiplier effect. Passwords and other static knowledge-based verification methods are archaic, but it is hard to get rid of them completely. The goal THAT all organizations should be going for is to reduce their password related threat surface or footprint with a modern passwordless approach combined with biometrics and device+user behavior and bio-mechanic analysis approach.  It’s key to focus on creating a strong binding between a user, their behavior, and the user agent in order to create an enhanced security and user experience.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.