Password Manager Passwordstate From Click Studios Hit in Supply Chain Attack

Password Manager Passwordstate From Click Studios Hit in Supply Chain Attack

The Australian software company, known for the Passwordstate password manager, suffered a breach between April 20 and April 22, first detected and reported by CSIS Security Group. Researchers said they have possibly discovered the next big supply chain hack.

The report was published in an April 23 blog post, the firm provided digital evidence that ClickStudios suffered a breach during which the attacker dropped a corrupted update to Passwordstate that contained a dynamic link library and malicious code.

“The malicious code tries to contact [a URL] in order to retrieve an encrypted code. Once decrypted, the code is executed directly in memory,” the researchers wrote.

Moserpass, the malware in the update, connected to a command and control server to execute the next stage of the attack. CSIS found two malware samples that were used to develop indicators of compromise, but could not catch any second-stage payloads because the attackers’ server was shut down.

Malicious dll:

It is unclear how many Passwordstate users have downloaded the update. The company claims to have over 29,000 customers and 370,000 security and IT professionals worldwide. It is unknown who they are, either, since the company doesn’t disclose the names of its customers:

“As much as we would like to advertise all our customers on our web site we hope you can appreciate us honouring their wishes and keeping this information private and confidential.”

ON April 24, ClickStudios published advisory in which the company explains that only customers who performed In-Place upgrades may be affected by the breach:

Initial analysis indicates that a bad actor using sophisticated techniques compromised the In-Place Upgrade functionality. The initial compromise was made to the upgrade director located on Click Studios website The upgrade director points the In-Place Upgrade to the appropriate version of software located on the Content Distribution Network. The compromise existed for approximately 28 hours before it was closed down. Only customers that performed In-Place Upgrades between the times stated above are believed to be affected. 

ClickStudios said password records of affected customers may have been harvested. If the attacker was successful in obtaining passwords this would mean we have another supply chain attack in addition to SolarWinds, Microsoft Exchange, Accellion, and Codecov.

The company recommends its customers who use Passwordstate to “reset all the stored passwords, and especially VPNs, Firewall, Switches, local accounts or any server passwords etc.”

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.