Passwordstate Password Manager Update Hijacked to Install Backdoor on Thousands of PCs


Click Studios, the Australian software company behind the Passwordstate password management application, has notified customers to reset their passwords following a software supply chain attack.

The Adelaide-based firm said a bad actor used sophisticated techniques to compromise the software’s update mechanism and used it to drop malware on user computers.

The breach is said to have occurred between April 20, 8:33 PM UTC, and April 22, 0:30 AM UTC, for a total period of about 28 hours.

“Only customers that performed In-Place Upgrades between the times stated above are believed to be affected,” the company said in an advisory. “Manual Upgrades of Passwordstate are not compromised. Affected customers password records may have been harvested.”

password auditor

The development was first reported by the Polish tech news site Niebezpiecznik. It’s not immediately clear who the attackers are or how they compromised the password manager’s update feature. Click Studios said an investigation into the incident is ongoing but noted “the number of affected customers appears to be very low.”

Passwordstate is an on-premise web-based solution used for enterprise password management, enabling businesses to securely store passwords, integrate the solution into their applications, and reset passwords across a range of systems, among others. The software is used by 29,000 customers and 370,000 security and IT professionals globally, counting several Fortune 500 companies spanning verticals such as banking, insurance, defense, government, education, and manufacturing.

According to an initial analysis shared by Denmark-based security firm CSIS Group, the malware-laced update came in the form of a ZIP archive file, “Passwordstate_upgrade.zip,” which contained a modified version of a library called “moserware.secretsplitter.dll” (VirusTotal submissions here and here).

This file, in turn, established contact with a remote server to fetch a second-stage payload (“upgrade_service_upgrade.zip”) that extracted Passwordstate data and exported the information back to the adversary’s CDN network. Click Studios said the server was taken down as of April 22 at 7:00 AM UTC.

password auditor

The full list of compromised information includes computer name, user name, domain name, current process name, current process id, names, and IDs of all running processes, names of all running services, display name and status, Passwordstate instance’s Proxy Server Address, usernames, and passwords.

Click Studios has released a hotfix package that would help customers remove the attacker’s tampered DLL and overwrite it with a legitimate variant. The company is also recommended that businesses reset all credentials associated with external facing systems (firewalls, VPN) as well as internal infrastructure (storage systems, local systems) and any other passwords stored in Passwordstate.

Passwordstate’s breach comes as supply chain attacks are fast emerging, a new threat to companies that depend on third-party software vendors for their day-to-day operations. In December 2020, a rogue update to the SolarWinds Orion network management software installed a backdoor on the networks of up to 18,000 customers.

Last week, software auditing startup Codecov alerted customers that it discovered its software had been infected with a backdoor as early as January 31 to gain access to authentication tokens for various internal software accounts used by developers. The incident didn’t come to light until April 1.





Source link

Mourad ELGORMA

Mourad ELGORMA

Fondateur de summarynetworks, passionné des nouvelles technologies et des métiers de Réseautique , Master en réseaux et système de télécommunications. ,j’ai affaire à Pascal, Delphi, Java, MATLAB, php …Connaissance du protocole TCP / IP, des applications Ethernet, des WLAN …Planification, installation et dépannage de problèmes de réseau informatique……Installez, configurez et dépannez les périphériques Cisco IOS. Surveillez les performances du réseau et isolez les défaillances du réseau. VLANs, protocoles de routage (RIPv2, EIGRP, OSPF.)…..Manipuler des systèmes embarqués (matériel et logiciel ex: Beaglebone Black)…Linux (Ubuntu, kali, serveur Mandriva Fedora, …). Microsoft (Windows, Windows Server 2003). ……Paquet tracer, GNS3, VMware Workstation, Virtual Box, Filezilla (client / serveur), EasyPhp, serveur Wamp,Le système de gestion WORDPRESS………Installation des caméras de surveillance ( technologie hikvision DVR………..). ,

Laisser un commentaire