A supply chain attack compromised the update mechanism of Passwordstate Password Manager

The software company Click Studios was the victim of a supply chain attack, hackers compromised its Passwordstate password management application.

Another supply chain attack made the headlines, the Australian software company Click Studios informed its customers of the security breach that impacted its Passwordstate password management application.

Passwordstate is the Enterprise Password Management solution used by more than 29,000 customers and 370,000 security and IT professionals globally.

Threat actors compromised the software’s update mechanism to deliver malware on users’ devices, between April 20, 8:33 PM UTC, and April 22, 0:30 AM UTC.

“Initial analysis indicates that a bad actor using sophisticated techniques compromised the In-Place Upgrade functionality. The initial compromise was made to the upgrade director located on Click Studios website www.clickstudios.com.au. The upgrade director points the In-Place Upgrade to the appropriate version of software located on the Content Distribution Network.” reads the advisory published by the company. “The compromise existed for approximately 28 hours before it was closed down. Only customers that performed In-Place Upgrades between the times stated above are believed to be affected. Manual Upgrades of Passwordstate are not compromised. Affected customers password records may have been harvested.”

The investigation is still ongoing, at the time of this writing the software firm said that the number of affected customers appears to be very low.

Security firm CSIS Group, which investigated the supply chain attack, confirmed that attackers compromised the update mechanism to drop a malicious update via a zip file “Passwordstate_upgrade.zip.” The ZIP archive contained a rogue dll named “moserware.secretsplitter.dll”.

“The update mechanism was used to drop a malicious update via a zip file “Passwordstate_upgrade.zip” containing a rogue dll “moserware.secretsplitter.dll”. The company mentions that the C&C of the rogue dll was using a CDN (Content Delivery Network) that was terminated on the 22nd of April 2021 7:00am UTC.” reads the CSIS’s report.

“CSIS Security Group researchers discovered one of the rogue dll’s during an investigation. We will try to share the IoC’s that we have discovered in order for companies to determine if they have been impacted by this attack. We have dubbed this incident/malware “Moserpass“.

The malicious dll employed in the attack and named “Moserware.SecretSplitter.dll ([1], [2])” was injected with a small “Loader” that attackers added to the legitimate dll.

The malicious code connects to a remote server to fetch a second-stage payload (“upgrade_service_upgrade.zip”) that gathered the Passwordstate data and exported the information back to the adversary’s CDN network.

The researchers also published the list of Indicators of Compromise (IoCs).

Recently another software firm suffered a supply chain attack, the software auditing firm Codecov.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Passwordstate)

[adrotate banner=”5″]

[adrotate banner=”13″]