Passwordstate Was Hacked in a Supply Chain Attack
The Enterprise Password Manager, Notified Customers That Attackers Compromised the App’s Update Mechanism to Deliver Malware in A Supply-Chain Attack After Breaching Its Networks.
Passwordstate, the on-premises password management solution being used by over 370,000 security and IT professionals from 29,000 companies worldwide and serving companies from the Fortune 500 rankings, from a wide range of industry sectors, like government, defense, finance, aerospace, retail, automotive, healthcare, legal, and also media, was recently the victim of a supply chain attack.
The supply chain attack took place between April 20 and April 22 and happened through the download of malicious upgrades by the customers.
🚨 Manager haseł PasswordState został zhackowany a komputery klientów zainfekowane.
Producent informuje ofiary e-mailem.
Ten manager haseł jest “korporacyjny”, więc problem będzie dotyczyć przede wszystkim firm… Auć!
(Informacja od Tajemniczego Pedro) pic.twitter.com/PGHhmEKpje
— Niebezpiecznik (@niebezpiecznik) April 23, 2021
The malware worked by harvesting the system information meaning that once deployed, the malware called Moserpass was able to collect system information and data, that later got sent to the attacker-controlled servers.
Some quick analysis on this Moserpass supply-chain attack revealed by @peterkruse–
A quick diff shows the attackers crudely added a ‘Loader’ code section, just an extra 4KB from an older version. pic.twitter.com/A8vLPxvyZO
— J. A. Guerrero-Saade (@juanandres_gs) April 23, 2021
It’s interesting that after uploading the collected data, the malware sleeps for 1 day and restarts the harvesting and uploading process, after this amount of time.
As a precaution the customers were advised to reset all their stored passwords, when the company published a second advisory on Sunday, saying that “only customers that performed In-Place Upgrades between the times stated above are believed to be affected and may have had their Passwordstate password records harvested.”
“To be clear, Click Studios CDN Network was not compromised. The initial compromise pointed the In-Place Upgrade functionality to a CDN network not controlled by Click Studios.”
At this time the number of affected customers is unknown, the company stating that they can make an assessment based on the window of opportunity the malware had, which lasted around 28 hours, the nature of the initial compromise and subsequent exploit, and customers provision of the requested information, all this data pointing towards a very low number of affected clients.