In yet another supply chain attack, a “sophisticated” threat actor has compromised an update of password manage Passwordstate that was available for download for more than two days before the malicious activity was discovered.
Click Studios, the Australian company that owns Passwordstate, said customers that performed an in-place upgrade between April 20, at 8:33 p.m. UTC and April 22, 12:30 a.m. UTC, “had the potential to download a malformed Passwordstate_upgrade.zip file.”
According to the company’s advisories on the incident, the initial compromise was made to the upgrade director on Click Studios’ website.
“The upgrade director points the In-Place Upgrade to the appropriate version of software located on the Content Distribution Network,” the company said. “The compromise existed for approximately 28 hours before it was closed down.”
The company didn’t disclose how many victims were affected, but said that number should be relatively low. However, customers that did download the malicious file could have their password records harvested.
Regardless, customers are being asked to reset all stored passwords – especially for VPNs, firewalls, switches, local accounts or any server passwords.
Here’s more from Click Studios’ advisory:
When the In-Place Upgrade capability processes the malformed Passwordstate_upgrade.zip a modified moserware.secretsplitter.dll, with a size of 65kb, is loaded. This subsequently downloads an additional file upgrade_service_upgrade.zip file from a bad actors CDN network, starts a new background thread, converts the upgrade_service_upgrade.zip to a .NET assembly only stored in memory and begins processing.
The process extracts information about the computer system, and selects Passwordstate data, which is then posted to the bad actors CDN network. On completion the thread is then slept for 1 day.
Analysis of compromised data indicates the following information is posted back:
Computer Name, User Name, Domain Name, Current Process Name, Current Process Id, All running Processes name and ID, All running services name, display name and status, Passwordstate instance’s Proxy Server Address, Username and Password
The following fields in Passwordstate instance’s password table is posted back:
Title, UserName, Description, GenericField1, GenericField2, GenericField3, Notes, URL, Password
The Domain Name and Host name aren’t extracted as part of that process, and there isn’t evidence of encryption keys or database connection strings being posted to the bad actor CDN network, the company says.
CSIS Security Group A / S, a Dutch cybersecurity company, also posted an analysis of the attack.