26 April 2021

Enterprise password manager Passwordstate hacked to install malware on customers systems


Enterprise password manager Passwordstate hacked to install malware on customers systems

Click Studios, the developer behind enterprise password manager Passwordstate, has advised its customers to reset all passwords following a supply-chain attack.

In an incident management advisory released Friday, the company said that intruders used sophisticated techniques to compromise the In-Place Upgrade functionality, the software's update mechanism, and used it to deploy malware called ‘Moserware’ on user computers.

According to the information on Click Studios’ web site, the Passwordstate software is used by more than 29,000 customers and 370,000 security and IT professionals around the world, including Fortune 500 companies. The breach is said to have occurred between the 20th of April 2021 8:33 PM UTC and 22nd of April 2021 00.30 am UTC.

“Any In-Place Upgrades performed between 20th April 8:33 PM UTC and 22nd April 0:30 AM UTC have the potential to download a malformed Passwordstate_upgrade.zip. This .zip file was sourced from a download network not controlled by Click Studios,” the company said. ”The compromise existed for approximately 28 hours before it was closed down. Only customers that performed In-Place Upgrades between the times stated above are believed to be affected. Manual Upgrades of Passwordstate are not compromised. Affected customers password records may have been harvested.”

Hackers used the update mechanism to drop a malicious update via a zip file “Passwordstate_upgrade.zip” containing a rogue dll “moserware.secretsplitter.dll”. Once installed, this DLL would connect to its command and control server to receive additional payload upgrade_service_upgrade.zip, which, in turn Passwordstate data and exported the information back to the bad actor's CDN network.

The extracted data included computer name, user name, domain name, current process name, current process ID, all running processes name and ID, all running services name, display name and status, Passwordstate instance’s proxy server address, username and password.

Click Studios has already notified its customers of the breach and issued a hotfix to help users to remove the malware from their systems. Users are strongly advised to reset all passwords stored inside compromised Passwordstate password managers, especially credentials for firewalls, VPNs, switches, storage systems, local accounts, etc.

Back to the list

Latest Posts

One of the US’ largest pipelines halts operations after a ransomware attack

One of the US’ largest pipelines halts operations after a ransomware attack

The "DarkSide" criminal group is believed to be behind the ransomware attack.
10 May 2021
TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

The attacks were highly targeted and delivered to less than 10 victims around the world, including large diplomatic organizations in South-East Asia and Africa.
10 May 2021
A bio research institute got infected with Ryuk ransomware because of pirated software

A bio research institute got infected with Ryuk ransomware because of pirated software

The student who wouldn’t pay for licensed software unwittingly opened a door to the ransomware.
10 May 2021