Passwordstate Password Manager Suffered Supply-Chain Attack

Another serious supply-chain attack has surfaced online potentially affecting thousands of customers. This time, the victim is the Passwordstate password manager giant Click Studios that confirmed the cyber attack. The attackers may also have harvested users’ passwords from the hacked password manager.

Passwordstate Password Manager Cyber Attack

Reportedly, Click Studios, the Australian software firm behind the password manager Passwordstate, has disclosed a cyber attack on its systems.

As elaborated in their advisory, the company suffered a supply-chain attack as the attackers managed to corrupt the password manager via a malicious update. For this, the attackers compromised the In-Place Upgrade functionality of their main website.

Although, this was a rather short-lived attack lasting for 28 hours. The attackers still managed to cause some damage.

Sharing details about the attack, Click Studios stated,

Any In-Place Upgrades performed between 20th April 8:33 PM UTC and 22nd April 0:30 AM UTC have the potential to download a malformed Passwordstate_upgrade.zip. This .zip file was sourced from a download network not controlled by Click Studios.

The malicious update, as per investigations, installed malware to the systems receiving the malicious Passwordstate update. Dubbed ‘Moserware’, the malware steals information from the target system for the attackers.

When the In-Place Upgrade capability processes the malformed Passwordstate_upgrade.zip a modified moserware.secretsplitter.dll, with a size of 65kb, is loaded. This subsequently downloads an additional file upgrade_service_upgrade.zip file from a bad actors CDN network, starts a new background thread, converts the upgrade_service_upgrade.zip to a .NET assembly only stored in memory and begins processing.

Hotfix And Mitigations

Upon detecting the incident, the vendors blocked the malicious In-Place Upgrades. Also, they have asked the customers to check for the presence of a 65kb “moserware.secretsplitter.dll located in their c:\inetpub\passwordstate\bin\ directory”.

If found, then they should send the “directory listing of c:\inetpub\passwordstate\bin output to a file called PasswordstateBin.txt” to Click Studios to get the instructions for remediation.

While Click Studios confirmed that the incident did impact some customers, it details the number as “very low”. Yet, as things become clearer, this number may potentially increase.

Currently, Click Studios boasts over 29,000 customers from various sectors, including some Fortune 500 companies.