Click Studios, the developer behind enterprise password manager Passwordstate, has advised its customers to reset all passwords following a supply-chain attack.
In an incident management advisory released Friday, the company said that intruders used sophisticated techniques to compromise the In-Place Upgrade functionality, the software's update mechanism, and used it to deploy malware called ‘Moserware’ on user computers.
According to the information on Click Studios’ web site, the Passwordstate software is used by more than 29,000 customers and 370,000 security and IT professionals around the world, including Fortune 500 companies. The breach is said to have occurred between the 20th of April 2021 8:33 PM UTC and 22nd of April 2021 00.30 am UTC.
“Any In-Place Upgrades performed between 20th April 8:33 PM UTC and 22nd April 0:30 AM UTC have the potential to download a malformed Passwordstate_upgrade.zip. This .zip file was sourced from a download network not controlled by Click Studios,” the company said. ”The compromise existed for approximately 28 hours before it was closed down. Only customers that performed In-Place Upgrades between the times stated above are believed to be affected. Manual Upgrades of Passwordstate are not compromised. Affected customers password records may have been harvested.”
Hackers used the update mechanism to drop a malicious update via a zip file “Passwordstate_upgrade.zip” containing a rogue dll “moserware.secretsplitter.dll”. Once installed, this DLL would connect to its command and control server to receive additional payload upgrade_service_upgrade.zip, which, in turn Passwordstate data and exported the information back to the bad actor's CDN network.
The extracted data included computer name, user name, domain name, current process name, current process ID, all running processes name and ID, all running services name, display name and status, Passwordstate instance’s proxy server address, username and password.
Click Studios has already notified its customers of the breach and issued a hotfix to help users to remove the malware from their systems. Users are strongly advised to reset all passwords stored inside compromised Passwordstate password managers, especially credentials for firewalls, VPNs, switches, storage systems, local accounts, etc.