Passwordstate Password Manager Update Hijacked to Install Backdoor on Thousands of PCs
Click Studios, the Australian software company behind the Passwordstate password management application, has notified customers to reset their passwords following a software supply chain attack.
The Adelaide-based firm said a bad actor used sophisticated techniques to compromise the software’s update mechanism and used it to drop malware on user computers.
The breach is said to have occurred between April 20, 8:33 PM UTC, and April 22, 0:30 AM UTC, for a total period of about 28 hours.
“Only customers that performed In-Place Upgrades between the times stated above are believed to be affected,” the company said in an advisory. “Manual Upgrades of Passwordstate are not compromised. Affected customers password records may have been harvested.”
The development was first reported by the Polish tech news site Niebezpiecznik. It’s not immediately clear who the attackers are or how they compromised the password manager’s update feature. Click Studios said an investigation into the incident is ongoing but noted “the number of affected customers appears to be very low.”
Passwordstate is an on-premise web-based solution used for enterprise password management, enabling businesses to securely store passwords, integrate the solution into their applications, and reset passwords across a range of systems, among others. The software is used by 29,000 customers and 370,000 security and IT professionals globally, counting several Fortune 500 companies spanning verticals such as banking, insurance, defense, government, education, and manufacturing.
According to an initial analysis shared by Denmark-based security firm CSIS Group, the malware-laced update came in the form of a ZIP archive file, “Passwordstate_upgrade.zip,” which contained a modified version of a library called “moserware.secretsplitter.dll” (VirusTotal submissions here and here).
This file, in turn, established contact with a remote server to fetch a second-stage payload (“upgrade_service_upgrade.zip”) that extracted Passwordstate data and exported the information back to the adversary’s CDN network. Click Studios said the server was taken down as of April 22 at 7:00 AM UTC.
The full list of compromised information includes computer name, user name, domain name, current process name, current process id, names, and IDs of all running processes, names of all running services, display name and status, Passwordstate instance’s Proxy Server Address, usernames, and passwords.
Click Studios has released a hotfix package that would help customers remove the attacker’s tampered DLL and overwrite it with a legitimate variant. The company is also recommended that businesses reset all credentials associated with external facing systems (firewalls, VPN) as well as internal infrastructure (storage systems, local systems) and any other passwords stored in Passwordstate.
Passwordstate’s breach comes as supply chain attacks are fast emerging, a new threat to companies that depend on third-party software vendors for their day-to-day operations. In December 2020, a rogue update to the SolarWinds Orion network management software installed a backdoor on the networks of up to 18,000 customers.
Last week, software auditing startup Codecov alerted customers that it discovered its software had been infected with a backdoor as early as January 31 to gain access to authentication tokens for various internal software accounts used by developers. The incident didn’t come to light until April 1.