A majority of industry experts agree that using password managers is the most secure way to protect your passwords. Password managers give an extra layer of protection to your online accounts by encrypting all your saved passwords. However, there is no way to stay 100% secure online. Even a robust and reliable password manager can be hacked. And this came true when cybersecurity researchers from CSIS Security Group recently discovered a supply chain hack on Passwordstate , a password manager owned by an Australian firm Click Studios.
Deployment of a Corrupted Update
In an official release, Click Studios stated that it suffered a data breach, between April 20 and April 22, after an unknown attacker deployed a corrupted update to Passwordstate by compromising its In-Place Upgrade functionality. The attack lasted for around 28 hours before it was shut down, exposing users’ sensitive data online. Reportedly, the users who performed In-Place Upgrades between April 20, 8:33 PM UTC and April 22, 0:30 AM UTC have likely downloaded a malformed Passwordstate_upgrade.zip file injected by the attackers.
🚨 Manager haseł PasswordState został zhackowany a komputery klientów zainfekowane.
Producent informuje ofiary e-mailem.
Ten manager haseł jest “korporacyjny”, więc problem będzie dotyczyć przede wszystkim firm… Auć!
(Informacja od Tajemniczego Pedro) pic.twitter.com/PGHhmEKpje
— Niebezpiecznik (@niebezpiecznik) April 23, 2021
The researchers claimed that threat actors deployed malware, tracked as Moserpass, in the form of a ZIP archive file – Passwordstate_upgrade.zip containing a modified version of a library – moserware.secretsplitter.dll. The ZIP file connects with the remote server to fetch a second-stage payload – upgrade_service_upgrade.zip that extracted Passwordstate users’ data and exported the information to the adversary’s Content Delivery Network (CDN) network.
Indicators of Compromise
- Malicious dll: f23f9c2aaf94147b2c5d4b39b56514cd67102d3293bdef85101e2c05ee1c3bf9
2. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36
3. C&C: https://passwordstate-18ed2.kxcdn[.]com/upgrade_service_upgrade.zip
Massive Data Exposed
Initial analysis of the compromised data indicates that Moserpass malware harvested users’ sensitive details including, computer name, username, domain name, current process name, current process ID, all running processes name and IDs, all running services’ name, display name, status, Passwordstate instance’s Proxy Server Address, username, and password.
“The Domain Name and Hostname aren’t extracted as part of this. Although the encryption key and database connection string are used to process data via hooking into the Passwordstate Service process, there is no evidence of encryption keys or database connection strings being posted to the bad actor CDN network,” Click Studios said.
Click Studios urged the affected customers to immediately:
- Download the advised hotfix file.
- Use PowerShell to confirm the checksum of the hotfix file matches the details supplied.
- Stop the Passwordstate Service and Internet Information Server.
- Extract the hotfix to the specified folder.
- Restart the Passwordstate Service, and Internet Information Server.
Besides, the company advised all its customers to reset passwords on their Passwordstate account as a precautionary measure. Click Studios recommended password resets based on:
- All credentials for externally facing systems, i.e., Firewalls, VPN, external websites, etc.
- All credentials for internal infrastructure, i.e., Switches, Storage Systems, Local Accounts.
- All remaining credentials stored in Passwordstate.
Passwordstate has more than 29,000 customers globally and this data breach could potentially have impacted a large number of users.
“Click Studios is continuing to work with our customers, identifying if they have been affected and advising them of the required remedial actions. Click Studios is also liaising with a Nationally Based 3rd party for assistance on in-depth analysis and direction for specialist technical support,” Click Studios added.
Resetting all your stored passwords, and especially firewalls, VPNs, switches, or any server passwords will help prevent any future risk.