A currently unidentified threat actor has compromised the update mechanism of Passwordstate, a password manager application primarily catering to enterprise customers, and has deployed malware on its user’s devices.
Click Studios, the firm behind Passwordstate, has notified 29,000 customers via email, according to communications obtained by a Polish tech news site. The malware was live for 28 hours between the 20th and 22nd of April.
CSIS, the security firm that dealt with the aftermath, revealed that a supply chain attack was the root cause of the vulnerability. The security firm said the threat actor forced the Passwordstate apps to download an additional ZIP file that contained a DLL file named “moserware.secretsplitter.dll.”
After installation, this DLL file would contact a command-and-control server, from where it would request new commands and retrieve additional payloads. Click Studios said the hack took place after a threat actor compromised the “In-Place Upgrade functionality” of a CDN network not controlled by Click Studios.
The malware collects sensitive information on a user’s computer system, including the credential store in the Passwordstate manager. Although there is no evidence of encryption keys or information used to query the app’s database being stolen, public tools are available specifically to recover the plain text password from a Passwordstate vault.
With the information from Passwordstate, including the credentials, the attacker would have access to the corresponding services stored in the password manager.
The first action Passwordstate users should take is to change all the passwords stored inside the password manager. For enterprises changing passwords will not simply involve just email and website accounts, but also passwords for internal uses such as firewalls, VPNs, switches, routers, network gateways, and others, which many employees would most likely have saved inside in line with their company’s policies.
The second remediation is to follow the Click Studios incident management advisory to find further information.
Source: The Record.Media