Click Studios asks customers to stop tweeting about its Passwordstate data breach

Australian security software house Click Studios has told customers not to post emails sent by the company about its data breach, which allowed malicious hackers to push a malicious update to its flagship enterprise password manager Passwordstate to steal customer passwords.

Last week, the company told customers to “commence resetting all passwords” stored in its flagship password manager after the hackers pushed the malicious update to customers over a 28-hour window between April 20-22. The malicious update was designed to contact the attacker’s servers to retrieve malware designed to steal and send the password manager’s contents back to the attackers.

In an email to customers, Click Studios did not say how the attackers compromised the password manager’s update feature, but included a link to a security fix.

But news of the breach only became public after Danish cybersecurity firm CSIS Group published a blog post with details of the attack hours after Click Studios emailed its customers.

Click Studios claims Passwordstate is used by “more than 29,000 customers,” including in the Fortune 500, government, banking, defense and aerospace, and most major industries.

In an update on its website, Click Studios said in a Wednesday advisory that customers are “requested not to post Click Studios correspondence on Social Media.” The email adds: “It is expected that the bad actor is actively monitoring Social Media, looking for information they can use to their advantage, for related attacks.”

“It is expected the bad actor is actively monitoring social media for information on the compromise and exploit. It is important customers do not post information on Social Media that can be used by the bad actor. This has happened with phishing emails being sent that replicate Click Studios email content,” the company said.

Besides a handful of advisories published by the company since the breach was discovered, the company has refused to comment or respond to questions.

It’s also not clear if the company has disclosed the breach to U.S. and EU authorities where the company has customers, but where data breach notification rules obligate companies to disclose incidents. Companies can be fined up to 4% of their annual global revenue for falling foul of Europe’s GDPR rules.

Click Studios chief executive Mark Sandford has not responded to repeated requests (from TechCrunch) for comment. Instead, TechCrunch received the same canned autoresponse from the company’s support email saying that the company’s staff are “focused only on assisting customers technically.”

TechCrunch emailed Sandford again on Thursday for comment on the latest advisory, but did not hear back.

Passwordstate users warned to ‘reset all passwords’ after attackers plant malicious update

Click Studios, the Australian software house that develops the enterprise password manager Passwordstate, has warned customers to reset passwords across their organizations after a cyberattack on the password manager.

An email sent by Click Studios to customers said the company had confirmed that attackers had “compromised” the password manager’s software update feature in order to steal customer passwords.

The email, posted on Twitter by Polish news site Niebezpiecznik early on Friday, said the malicious update exposed Passwordstate customers over a 28-hour window between April 20-22. Once installed, the malicious update contacts the attacker’s servers to retrieve malware designed to steal and send the password manager’s contents back to the attackers. The email also told customers to “commence resetting all passwords contained within Passwordstate.”

Click Studios did not say how the attackers compromised the password manager’s update feature, but emailed customers with a security fix.

The company also said the attacker’s servers were taken down on April 22. But Passwordstate users could still be at risk if the attacker’s are able to get their infrastructure online again.

Enterprise password managers let employees at companies share passwords and other sensitive secrets across their organization, such as network devices — including firewalls and VPNs, shared email accounts, internal databases, and social media accounts. Click Studios claims Passwordstate is used by “more than 29,000 customers,” including in the Fortune 500, government, banking, defense and aerospace, and most major industries.

Although affected customers were notified this morning, news of the breach only became widely known several hours later after Danish cybersecurity firm CSIS Group published a blog post with details of the attack.

Click Studios chief executive Mark Sanford did not respond to a request for comment outside Australian business hours.

Read more:

Enterprise security attackers are one password away from your worst day

If the definition of insanity is doing the same thing over and over and expecting a different outcome, then one might say the cybersecurity industry is insane.

Criminals continue to innovate with highly sophisticated attack methods, but many security organizations still use the same technological approaches they did 10 years ago. The world has changed, but cybersecurity hasn’t kept pace.

Distributed systems, with people and data everywhere, mean the perimeter has disappeared. And the hackers couldn’t be more excited. The same technology approaches, like correlation rules, manual processes and reviewing alerts in isolation, do little more than remedy symptoms while hardly addressing the underlying problem.

The current risks aren’t just technology problems; they’re also problems of people and processes.

Credentials are supposed to be the front gates of the castle, but as the SOC is failing to change, it is failing to detect. The cybersecurity industry must rethink its strategy to analyze how credentials are used and stop breaches before they become bigger problems.

It’s all about the credentials

Compromised credentials have long been a primary attack vector, but the problem has only grown worse in the midpandemic world. The acceleration of remote work has increased the attack footprint as organizations struggle to secure their network while employees work from unsecured connections. In April 2020, the FBI said that cybersecurity attacks reported to the organization grew by 400% compared to before the pandemic. Just imagine where that number is now in early 2021.

It only takes one compromised account for an attacker to enter the active directory and create their own credentials. In such an environment, all user accounts should be considered as potentially compromised.

Nearly all of the hundreds of breach reports I’ve read have involved compromised credentials. More than 80% of hacking breaches are now enabled by brute force or the use of lost or stolen credentials, according to the 2020 Data Breach Investigations Report. The most effective and commonly-used strategy is credential stuffing attacks, where digital adversaries break in, exploit the environment, then move laterally to gain higher-level access.

Education non-profit Edraak ignored a student data leak for two months

Edraak, an online education non-profit, exposed the private information of thousands of students after uploading student data to an unprotected cloud storage server, apparently by mistake.

The non-profit, founded by Jordan’s Queen Rania and headquartered in the kingdom’s capital, was set up in 2013 to promote education across the Arab region. The organization works with several partners, including the British Council and edX, a consortium set up by Harvard, Stanford, and MIT.

In February, researchers at U.K. cybersecurity firm TurgenSec found one of Edraak’s cloud storage servers containing at least tens of thousands of students’ data, including spreadsheets with students’ names, email addresses, gender, birth year, country of nationality, and some class grades.

TurgenSec, which runs Breaches.UK, a site for disclosing security incidents, alerted Edraak to the security lapse. A week later, their email was acknowledged by the organization but the data continued to spill. Emails seen by TechCrunch show the researchers tried to alert others who worked at the organization via LinkedIn requests, and its partners, including the British Council.

Two months passed and the server remained open. At its request, TechCrunch contacted Edraak, which closed the servers a few hours later.

In an email this week, Edraak chief executive Sherif Halawa told TechCrunch that the storage server was “meant to be publicly accessible, and to host public course content assets, such as course images, videos, and educational files,” but that “student data is never intentionally placed in this bucket.”

“Due to an unfortunate configuration bug, however, some academic data and student information exports were accidentally placed in the bucket,” Halawa confirmed.

“Unfortunately our initial scan did not locate the misplaced data that made it there accidentally. We attributed the elements in the Breaches.UK email to regular student uploads. We have now located these misplaced reports today and addressed the issue,” Halawa said.

The server is now closed off to public access.

It’s not clear why Edraak ignored the researchers’ initial email, which disclosed the location of the unprotected server, or why the organization’s response was not to ask for more details. When reached, British Council spokesperson Catherine Bowden said the organization received an email from TurgenSec but mistook it for a phishing email.

Edraak’s CEO Halawa said that the organization had already begun notifying affected students about the incident, and put out a blog post on Thursday.

Last year, TurgenSec found an unencrypted customer database belonging to U.K. internet provider Virgin Media that was left online by mistake, containing records linking some customers to adult and explicit websites.

More from TechCrunch:


Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more

Notion’s hours-long outage was caused by phishing complaints

Last week’s hours-long outage at online workspace startup Notion was caused by phishing complaints, according to the startup’s domain registrar.

Notion was offline for most of the morning on Friday, plunging its more than four million users into organization darkness because of what the company called a “very unusual DNS issue that occurred at the registry operator level.” With the company’s domain offline, users were unable to access their files, calendars, and documents.

Notion registered its domain name notion.so through Name.com, but all .so domains are managed by Hexonet, a company that helps connect Sonic, the .so top-level domain registry, with domain name registrars like Name.com.

That complex web of interdependence is in large part what led to the communications failure that resulted in Notion falling offline for hours.

In an email to TechCrunch, Name.com spokesperson Jared Ewy said: “Hexonet received complaints about user-generated Notion pages connected to phishing. They informed Name.com about these reports, but we were unable to independently confirm them. Per its policies, Hexonet placed a temporary hold on Notion’s domain.”

“Noting the impact of this action, all teams worked together to restore service to Notion and its users. All three teams are now partnering on new protocols to ensure this type of incident does not happen again. The Notion team and their avid followers were responsive and a pleasure to work with throughout. We thank everyone for their patience and understanding,” said Ewy.

There are several threads on Reddit discussing concerns about Notion being used to host phishing sites, and security researchers have shown examples of Notion used in active phishing campaigns. A Notion employee said almost a year ago that Notion would “soon” move its domain to notion.com, which the company owns.

Notion’s outage is almost identical to what happened with Zoho in 2018, which like Notion, resorted to tweeting at its domain registrar after it blocked zoho.com following complaints about phishing emails sent from Zoho-hosted email accounts.

It sounds like there’s no immediate danger of a repeat outage, but Notion did not return TechCrunch’s email over the weekend asking what it plans to do to prevent phishing on its platform in the future.

Read more:

U.S. charges Russian hackers blamed for Ukraine power outages and the NotPetya ransomware attack

Six Russian intelligence officers accused of launching some of the “world’s most destructive malware” — including an attack that took down the Ukraine power grid in December 2015 and the NotPetya global ransomware attack in 2017 — have been charged by the U.S. Justice Department.

Prosecutors said the group of hackers, who work for the Russian GRU, are behind the “most disruptive and destructive series of computer attacks ever attributed to a single group.”

“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” said John Demers, U.S. U.S. assistant attorney general for national security. “Today the Department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware. No nation will recapture greatness while behaving in this way.”

The six accused Russian intelligence officers. (Image: FBI/supplied)

In charges laid out Monday, the hackers are accused of developing and launching attacks using the KillDisk and Industroyer (also known as Crash Override) to target and disrupt the power supply in Ukraine, which left hundreds of thousands of customers without electricity two days before Christmas. The prosecutors also said the hackers were behind the NotPetya attack, a ransomware attack that spread across the world in 2017, causing billions of dollars in damages.

The hackers are also said to have used Olympic Destroyer, designed to knock out internet connections during the opening ceremony of the 2018 PyeongChang Winter Olympics in South Korea.

Prosecutors also blamed the six hackers for trying to disrupt the 2017 French elections by launching a “hack and leak” operation to discredit the then-presidential frontrunner, Emmanuel Macron, as well as launching targeted spearphishing attacks against the Organization for the Prohibition of Chemical Weapons and the U.K.’s Defense Science and Technology Laboratory, tasked with investigating the use of the Russian nerve agent Novichok in Salisbury, U.K. in 2018, and attacks against targets in Georgia, the former Soviet state.

The alleged hackers — Yuriy Sergeyevich Andrienko, 32; Sergey Vladimirovich Detistov, 35; Pavel Valeryevich Frolov, 28; Anatoliy Sergeyevich Kovalev, 29; Artem Valeryevich Ochichenko, 27; and Petr Nikolayevich Pliskin, 32 — are all charged with seven counts of conspiracy to hack, commit wire fraud, and causing computer damage.

The accused are believed to be in Russia. But the indictment serves as a “name and shame” effort, frequently employed by Justice Department prosecutors in recent years where arrests or extraditions are not likely or possible.

HacWare wants you to hate email security a little less

Let’s face it, email security is something a lot of people would rather think less about. When you’re not deluged with a daily onslaught of phishing attacks trying to steal your passwords, you’re also expected to dodge the simulated phishing emails sent by your own company all for the sake of checking a compliance box.

One security startup wants that to change. Tiffany Ricks founded HacWare in Dallas, Texas, in 2017 to help bring better cybersecurity awareness to small businesses without getting in the way of the day job.

“We’re trying to show them what they don’t know about cybersecurity and educate them on that so they can get back to work,” Ricks told TechCrunch, ahead of the company’s participation in TechCrunch’s Startup Battlefield.

Ricks, a former Pentagon contractor, has her roots as an ethical hacker. As a penetration tester, or “red teamer,” she would test the limits of a company’s cybersecurity defenses by using a number of techniques, including social engineering attacks, which often involves tricking someone into turning over a password or access to a system.

“It was just very easy to get into organizations by social engineering employees,” said Ricks. But the existing offerings on the market, she said, weren’t up to the task of educating users at scale.

“And so we built the product in-house,” she said.

HacWare sits on a company’s email server and uses machine learning to categorize and analyze each message for risk — the same things you would look for in a phishing email, like suspicious links and attachments.

HacWare tries to identify the most at-risk users, like those working in finance and human resources, who are more vulnerable to business email compromise attacks that try to steal sensitive employee information. The system also uses automated simulated phishing attacks using the contents of what’s in a user’s inbox already to send personalized phishing emails to test the user.

Email remains the most popular way for attackers to use phishing and other social engineering attacks to try to steal sensitive information, according to Verizon’s annual data breach report. These attackers want your passwords or to try to trick you into sending sensitive documents, like employee tax and financial information.

But as the adage goes, humans are the weakest link in the security chain.

Stronger security features, like two-factor authentication, makes it far more difficult for hackers to break into accounts but it’s not a panacea. It was only in July that Twitter was hit by a devastating breach that saw hackers use social engineering techniques to trick employees into giving over access to an internal “admin” tool that the hackers abused to hijack high-profile accounts and spread a cryptocurrency scam.

HacWare’s approach to email security appears to be working. “We’ve seen a 60% reduction in reducing phishing responses,” she said. The automated phishing simulations also help to reduce IT workload, she said.

Ricks moved the bootstrapped HacWare to New York City after securing a place in Techstars’ accelerator program. HacWare is seeking to raise a $1 million seed round, said Ricks. For now, the company is “laser focused” on email security, but the company has growth in its sights.

“I see us expanding into just trying to understand human behavior and trying to figure out how we can mitigate that risk,” she said.

“We believe that cyber security is an integrated approach,” said Ricks. “But first we definitely need to start with the root cause, and the root cause is we need to really get our people the tools they need to empower them to make sound cybersecurity decisions,” she said.

Decrypted: How a teenager hacked Twitter, Garmin’s ransomware aftermath

A 17-year-old Florida teenager is accused of perpetrating one of the year’s biggest and most high-profile hacks: Twitter.

A federal 30-count indictment filed in Tampa said Graham Ivan Clark used a phone spearphishing attack to pivot through multiple layers of Twitter’s security and bypassed its two-factor authentication to gain access to an internal “admin” tool that let the hacker take over any account. With two accomplices named in a separate federal indictment, Clark — who went by the online handle “Kirk” — allegedly used the tool to hijack the accounts of dozens of celebrities and public figures, including Bill Gates, Elon Musk and former president Barack Obama, to post a cryptocurrency scam netting over $100,000 in bitcoin in just a few hours.

It was, by all accounts, a sophisticated attack that required technical skills and an ability to trick and deceive to pull off the scam. Some security professionals were impressed, comparing the attack to one that had the finesse and professionalism of a well-resourced nation-state attacker.

But a profile in The New York Times describes Clark was an “adept scammer with an explosive temper.”

In the teenager’s defense, the attack could have been much worse. Instead of pushing a scam that promised to “double your money,” Clark and his compatriots could have wreaked havoc. In 2013, hackers hijacked the Associated Press’ Twitter account and tweeted a fake bomb attack on the White House, sending the markets plummeting — only to quickly recover after the all-clear was given.

But with control of some of the world’s most popular Twitter accounts, Clark was for a few hours in July one of the most powerful people in the world. If found guilty, the teenager could spend his better years behind bars.

Here’s more from the past week.


THE BIG PICTURE

Garmin hobbles back after ransomware attack, but questions remain

Apple, Biden, Musk and other high-profile Twitter accounts hacked in crypto scam

A number of high-profile Twitter accounts were simultaneously hacked on Wednesday by attackers who used the accounts — some with millions of followers — to spread a cryptocurrency scam.

Apple, Elon Musk and Joe Biden were among the accounts compromised in a broadly targeted hack that remained mysterious hours after taking place. Those accounts and many others posted a message promoting the address of a bitcoin wallet with the claim that the amount of any payments made to the address would be doubled and sent back — a known cryptocurrency scam technique.

In the hours following the initial scam posts, Kim Kardashian West, Jeff Bezos, Bill Gates, Barack Obama, Wiz Khalifa, Warren Buffett, YouTuber MrBeast, Wendy’s, Uber, CashApp and Mike Bloomberg also posted the cryptocurrency scam.

Screenshot via Twitter

While we’re still learning more specifics about how the hack went down, we can report that the hacker leveraged an internal Twitter admin tool to gain access to the high-profile accounts. That reporting was soon confirmed by Twitter’s own account of what happened. On Wednesday evening, the company tweeted that “a coordinated social engineering attack” on employees gave a hacker “access to internal systems and tools.”

Before the scope of the incident became clear, the hack appeared to focus on cryptocurrency-focused accounts. In an initial wave of scam posts, @bitcoin, @ripple, @coindesk, @coinbase and @binance were hacked with the same message: “We have partnered with CryptoForHealth and are giving back 5000 BTC to the community,” followed by a link to a website.

The linked site was quickly pulled offline. Kristaps Ronka, chief executive of Namesilo, the domain registrar used by the scammers, told TechCrunch that the company suspended the domain “on the first report” it received. Hacked accounts shifted to sharing multiple bitcoin wallet addresses as the incident went on, making things more difficult to track.

Twitter first acknowledged the situation at 2:45 p.m. PT Wednesday afternoon, referring to it as a “security incident.”

At first, it appeared that some of the compromised accounts were back under their owners’ control as tweets were quickly deleted. But then, Elon Musk’s account tweeted “hi” after his initial tweet with the scam was deleted. The “hi” tweet also disappeared. 

Twitter users reported seeing error messages on the platform as the situation went on. TechCrunch reporter Natasha Mascarenhas saw this error (see below) when she tried to create a threaded tweet. TechCrunch reporter Sarah Perez saw a similar error when trying to post a normal tweet. Both have verified accounts.

Twitter error message (Image: TechCrunch)

As the issues continued, many verified Twitter users also reported being unable to tweet. Around 3:15 p.m. PT, the official Twitter Support account confirmed “[Users] may be unable to Tweet or reset your password while we review and address this incident.” By Wednesday evening, Twitter said that most tweeting should be back to normal but functionality “may come and go” as the company “continue[s] working on a fix.”

Who was hacked

It became clear early on that this situation was not the case of a single account being compromised as we’ve seen in the past, but something else altogether. Even Apple, a company known for robust security, somehow fell victim to the scheme.

Apple’s account was also hacked. This was the account’s first tweet. (Image: TechCrunch)

Many high profile accounts were quickly hijacked in rapid succession Wednesday afternoon, including @elonmusk, the eccentric Twitter-obsessed tech figure with a notoriously engaged fanbase. A scam tweet posted to the Tesla and SpaceX founder’s account simply directed users to send bitcoin to a certain address under the guise that he will “double any payment” — a known cryptocurrency scam technique. Musk’s account appeared to remain compromised for some time after the initial message, with follow-up posts claiming followers were sending money to the suspicious address.

Tesla and SpaceX founder Elon Musk had his Twitter account hacked to spread a cryptocurrency scam. (Image: TechCrunch)

Some Democratic political figures were also hacked as part of the cryptocurrency scam, including Barack Obama, Joe Biden and Mike Bloomberg. An official from the Biden campaign told TechCrunch that Twitter locked down the former vice president’s account “immediately” after it was compromised and the campaign remains in close contact with Twitter on the issue. At the time of writing, no accounts belonging to Republican politicians appear to have been hacked.

Barack Obama had his Twitter account hacked to spread a cryptocurrency scam. (Image: TechCrunch)

Wiz Khalifa’s account was also compromised, as was the Twitter account of popular YouTuber MrBeast, who often posts giveaways, making his re-post of the bitcoin address particularly likely to drive followers to the scam.

The hack also hit legendary investor Warren Buffet, a prominent and harsh critic of cryptocurrencies like bitcoin. “I don’t have any cryptocurrency and I never will,” Buffet told CNBC in February.

Unusual hack, common scam

While the scope of Wednesday’s Twitter hack is unprecedented on the social network, the kinds of scams the hacked accounts promoted are common. Scammers take over high-profile Twitter accounts using breached or leaked passwords and post messages that encourage users to post their cryptocurrency funds to a particular address under the guise that they’ll double their “investment.” In reality, it’s simple theft, but it’s a scam that works.

The main blockchain address used on the scam site had already collected more than 12.5 bitcoin — some $116,000 in USD — and it’s going up by the minute.

A spokesperson for Binance told TechCrunch: “The security team is actively investigating the situation of this coordinated attack on the crypto industry.” Several other companies affected by the account hacks did not immediately respond to a request for comment.

It’s not immediately known how the account hacks took place. Security researchers, however, found that the attackers had fully taken over the victims’ accounts, and also changed the email address associated with the account to make it harder for the real user to regain access.

Scammers frequently reply to high-profile accounts, like celebrities and public figures, to hijack the conversation and hoodwink unsuspecting victims. Twitter typically shuts these accounts down pretty fast.

A Twitter spokesperson, when reached, said the company was “looking into” the matter but didn’t immediately comment.

This story is developing. Stay tuned for updates. 

Below are screenshots of some of the hacked accounts.

[gallery ids="2017548,2017549,2017550,2017551,2017552,2017553,2017555,2017556,2017557,2017558,2017547"]

Google says Iranian, Chinese hackers targeted Trump, Biden campaigns

Google security researchers say they’ve identified efforts by at least two nation state-backed hackers against the Trump and Biden presidential campaigns.

Shane Huntley, director for Google’s Threat Analysis Group, said in a tweet that hackers backed by China and Iran recently targeted the campaigns using malicious phishing emails. But, Huntley said, there are “no signs of compromise,” and that both campaigns were alerted to the attempts.

When reached by TechCrunch, a Google spokesperson reiterated the findings:

“We can confirm that our Threat Analysis Group recently saw phishing attempts from a Chinese group targeting the personal email accounts of Biden campaign staff and an Iranian group targeting the personal email accounts of Trump campaign staff. We didn’t see evidence that these attempts were successful. We sent the targeted users our standard government-backed attack warning and we referred this information to federal law enforcement. We encourage campaign staff to use extra protection for their work and personal emails, and we offer security resources such as our Advanced Protection Program and free security keys for qualifying campaigns.”

A spokesperson for the Biden campaign confirmed the report in a statement to TechCrunch.

“We are aware of reports from Google that a foreign actor has made unsuccessful attempts to access the personal email accounts of campaign staff,” a spokesperson said. “We have known from the beginning of our campaign that we would be subject to such attacks and we are prepared for them. Biden for President takes cybersecurity seriously, we will remain vigilant against these threats, and will ensure that the campaign’s assets are secured.”

The Trump campaign said it was also briefed that “foreign actors unsuccessfully attempted to breach the technology of our staff,” but a spokesperson declined to discuss the precautions it was taking.

Huntley said in a follow-up tweet that the hackers were identified as China’s APT31 and Iran’s APT35, both of which are known to target government officials. But it’s not the first time that the Trump campaign has been targeted by Iranian hackers. Microsoft last year blamed APT35 group for targeting what later transpired to be the Trump campaign.

Since last year’s attempted attacks, both the Democrats and Republicans improved their cybersecurity at the campaign level. The Democrats recently updated their security checklist for campaigns and published recommendations for countering disinformation, and the Republicans have put on training sessions to better educate campaign officials.

Updated with comment from the Biden campaign, and again with a statement from the Trump campaign.