Click Studios, the Australian software company behind the
Passwordstate password management application, has notified
customers to reset their passwords following a software supply
chain attack.
The Adelaide-based firm said a bad actor used sophisticated
techniques to compromise the software’s update mechanism and used
it to drop malware on user computers.
The breach is said to have occurred between April 20, 8:33 PM
UTC, and April 22, 0:30 AM UTC, for a total period of about 28
hours.
“Only customers that performed In-Place Upgrades between the
times stated above are believed to be affected,” the company
said[1]
in an advisory. “Manual Upgrades of Passwordstate are not
compromised. Affected customers password records may have been
harvested.”
The development was first reported by the Polish tech news site
Niebezpiecznik[2]. It’s not immediately
clear who the attackers are or how they compromised the password
manager’s update feature. Click Studios said an investigation into
the incident is ongoing but noted “the number of affected customers
appears to be very low.”
Passwordstate is an on-premise web-based solution used for
enterprise password management, enabling businesses to securely
store passwords, integrate the solution into their applications,
and reset passwords across a range of systems, among others. The
software is used by 29,000 customers[3]
and 370,000 security and IT professionals globally, counting
several Fortune 500 companies spanning verticals such as banking,
insurance, defense, government, education, and manufacturing.
According to an initial analysis shared by Denmark-based
security firm CSIS Group[4], the malware-laced
update came in the form of a ZIP archive file,
“Passwordstate_upgrade.zip,” which contained a modified version of
a library called “moserware.secretsplitter.dll” (VirusTotal
submissions here[5]
and here[6]).
This file, in turn, established contact with a remote server to
fetch a second-stage payload (“upgrade_service_upgrade.zip”) that
extracted Passwordstate data and exported the information back to
the adversary’s CDN network. Click Studios said the server was
taken down as of April 22 at 7:00 AM UTC.
The full list of compromised information includes computer name,
user name, domain name, current process name, current process id,
names, and IDs of all running processes, names of all running
services, display name and status, Passwordstate instance’s Proxy
Server Address, usernames, and passwords.
Click Studios has released a hotfix package[7]
that would help customers remove the attacker’s tampered DLL and
overwrite it with a legitimate variant. The company is also
recommended that businesses reset all credentials associated with
external facing systems (firewalls, VPN) as well as internal
infrastructure (storage systems, local systems) and any other
passwords stored in Passwordstate.
Passwordstate’s breach comes as supply chain attacks are fast
emerging, a new threat to companies that depend on third-party
software vendors for their day-to-day operations. In December 2020,
a rogue update to the SolarWinds Orion[8]
network management software installed a backdoor on the networks of
up to 18,000 customers.
Last week, software auditing startup Codecov alerted[9] customers that it
discovered its software had been infected with a backdoor[10] as early as January 31
to gain access to authentication tokens for various internal
software accounts used by developers. The incident didn’t come to
light until April 1.
References
- ^
said
(www.clickstudios.com.au) - ^
Niebezpiecznik
(twitter.com) - ^
29,000
customers (www.clickstudios.com.au) - ^
CSIS
Group (www.csis.dk) - ^
here
(www.virustotal.com) - ^
here
(www.virustotal.com) - ^
hotfix
package (clickstudios.com.au) - ^
SolarWinds Orion
(thehackernews.com) - ^
alerted
(about.codecov.io) - ^
infected with a backdoor
(www.reuters.com)