[German]Unpleasant news for users of the password manager Passwordstate. Click Studios, the Australian provider behind the password manager has announced to have become a victim of a supply chain attack. People should assume that their passwords stored via Passwordstate password manager have been leaked.
Advertising
Passwordstate is an on-premises password management solution, and is used by more than 370,000 security and IT professionals in 29,000 companies worldwide, according to the company Click Studios.
Supply chain attack on the vendor
Now the provider Click Studios had to admit a supply chain attack on its IT. I came across the issue via the following tweet from colleagues at Bleeping Computer.
Click Studio must have sent an email titled "Confirmation of Malformed Files and Essential Course of Action" to customers around, which was published by Polish website Niebezpiecznik on Twitter.
Mail from Click Studio to Passwordstate users
Advertising
The vendor informs its customers about a possible integrity violation of the Passwordstate password manager as of April 22, 2021. Above image contains the text of the mail as a screenshot – here is an excerpt:
Confirmation of Malformed Files and Essential Course of Action
Initial analysis indicates that bad actor using sophisticated techniques had compromised the In-Place Upgrade functionality.
Any in-Place Upgrade performed between 20th April 8:33 PM UTC and 22nd April 0:30 AM UTC had the potential to download a malformed Passwordstate_ipgrade.zip [..] sourced from a download network not controlled by Click Studios […]
This statement is nothing more than a paraphrase of a supply chain attack, where malware could be introduced into the update process of a product. And on April 20, 2021, there was probably an update for Passwordstate 9.1 – Build 9117.
Updates affected between April 20 and April 22, 2021
Customers who used the product's in-place upgrade feature between April 20 and April 22, 2021 are potentially affected and may have received the malware-infected file upgrade_service_upgrade.zip from the attackers' CDN. This is because for a period of 28 hours the downloads stopped coming from the update servers of the provider Click Studio.
According to J. A. Guerrero-Saade, Principal Threat Researcher at SentinelOne, the attacker managed to add a 'loader' code section to Passwordstate's original code, containing only 4 KB of an older version. The security researcher published his brief analysis in a series of tweets. The loader has functionality to pull more payloads from the control server (C2). There is also code to parse the global settings of the 'PasswordState' datastore (proxy UserName/Password, etc.).
So the malware christened Moserware collects system information and PasswordState data to send it to attacker-controlled servers. The CDN servers used in the attack have been shut down and inaccessible since April 22, 7:00am UTC.
Click Studio had released a hotfix to detect the infection via checksums. The colleagues at Bleeping Computer have linked the download address, which can also be seen in the screenshot above, but the page is no longer accessible.
Click Studios advises users whose clients have updated in the time specified above to reset all passwords in the Passwordstate database. Resetting passwords should be prioritized as follows:
- all credentials for Internet-exposed systems (firewalls, VPN, external websites, etc.)
- all credentials for internal infrastructure
- all other credentials
The colleagues from Bleeping Computer zites CSIS Security Group A/S, who assume a large number of people affected. All this brings back memories of the SolarWinds Orion case or the Codedov attack. In my German article on the Codedov attack, I have added a statement (in English) from security vendor CheckPoint. Among other things, they see the rapid release cycles typical of modern DevOps application development and deployment as the cause of the quick succession of supply chain attacks disclosed in 2021. Arguably, the security challenges posed by this DevOps application development cannot be overcome by companies. Final question: Anyone affected by the Passwordstate attack?
