Home News Click Studios’ Password Manager ‘Passwordstate’ Hacked via Update Feature

Click Studios’ Password Manager ‘Passwordstate’ Hacked via Update Feature

Click Studios-owned password manager Passwordstate suffered a breach between April 20 and April 22. Threat actors initiated the breach via an its update feature on the Passwordstate app.

biggest data breaches in India,data breach, Aptoide Android App Admits Data Breach, Suspends Sign-Up Option Temporarily, Panasonic

A majority of industry experts agree that using password managers is the most secure way to protect your passwords. Password managers give an extra layer of protection to your online accounts by encrypting all your saved passwords. However, there is no way to stay 100% secure online. Even a robust and reliable password manager can be hacked. And this came true when cybersecurity researchers from CSIS Security Group recently discovered a supply chain hack on Passwordstate , a password manager owned by an Australian firm Click Studios.

 Deployment of a Corrupted Update

In an official release, Click Studios stated that it suffered a data breach, between April 20 and April 22, after an unknown attacker deployed a corrupted update to Passwordstate by compromising its In-Place Upgrade functionality. The attack lasted for around 28 hours before it was shut down, exposing users’ sensitive data online.  Reportedly, the users who performed In-Place Upgrades between April 20, 8:33 PM UTC and April 22, 0:30 AM UTC have likely downloaded a malformed Passwordstate_upgrade.zip file injected by the attackers.

Moserpass Malware

The researchers claimed that threat actors deployed malware, tracked as Moserpass, in the form of a ZIP archive file – Passwordstate_upgrade.zip containing a modified version of a library – moserware.secretsplitter.dll. The ZIP file connects with the remote server to fetch a second-stage payload – upgrade_service_upgrade.zip that extracted Passwordstate users’ data and exported the information to the adversary’s Content Delivery Network (CDN) network.

  Image Courtesy: CSIS Group

Indicators of Compromise

  1. Malicious dll: f23f9c2aaf94147b2c5d4b39b56514cd67102d3293bdef85101e2c05ee1c3bf9
    SecretSplitter.dll

    2. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36

    3. C&C: https://passwordstate-18ed2.kxcdn[.]com/upgrade_service_upgrade.zip

 Massive Data Exposed

Initial analysis of the compromised data indicates that Moserpass malware harvested users’ sensitive details including, computer name, username, domain name, current process name, current process ID, all running processes name and IDs, all running services’ name, display name, status, Passwordstate instance’s Proxy Server Address, username, and password.

“The Domain Name and Hostname aren’t extracted as part of this. Although the encryption key and database connection string are used to process data via hooking into the Passwordstate Service process, there is no evidence of encryption keys or database connection strings being posted to the bad actor CDN network,” Click Studios said.

Remedial Measures

Click Studios urged the affected customers to immediately:

  • Download the advised hotfix file.
  • Use PowerShell to confirm the checksum of the hotfix file matches the details supplied.
  • Stop the Passwordstate Service and Internet Information Server.
  • Extract the hotfix to the specified folder.
  • Restart the Passwordstate Service, and Internet Information Server.

Besides, the company advised all its customers to reset passwords on their Passwordstate account as a precautionary measure. Click Studios recommended password resets based on:

  • All credentials for externally facing systems, i.e., Firewalls, VPN, external websites, etc.
  • All credentials for internal infrastructure, i.e., Switches, Storage Systems, Local Accounts.
  • All remaining credentials stored in Passwordstate.

Passwordstate has more than 29,000 customers globally and this data breach could potentially have impacted a large number of users.

“Click Studios is continuing to work with our customers, identifying if they have been affected and advising them of the required remedial actions. Click Studios is also liaising with a Nationally Based 3rd party for assistance on in-depth analysis and direction for specialist technical support,” Click Studios added.

Resetting all your stored passwords, and especially firewalls, VPNs, switches, or any server passwords will help prevent any future risk.