Following a cyberattack on the corporate password manager Passwordstate, Click Studios, an Australian software house, has advised consumers to reset passwords across their organizations. According to an email sent to consumers by Click Studios, attackers had "compromised" the password manager's software upgrade function in order to extract user passwords.
Between April 20 and April 22, the Australian software firm was hacked. The attack specifics were published by CSIS Security Group, which dealt with the hack. In an advisory, ClickStudios detailed the assault.
The company said, “Initial analysis indicates that a bad actor using sophisticated techniques compromised the In-Place Upgrade functionality. The initial compromise was made to the upgrade director located on Click Studios website www.clickstudios.com.au. The upgrade director points the In-Place Upgrade to the appropriate version of software located on the Content Distribution Network. The compromise existed for approximately 28 hours before it was closed down. Only customers that performed In-Place Upgrades between the times stated above are believed to be affected. Manual Upgrades of Passwordstate are not compromised. Affected customers password records may have been harvested.”
An update to the Passwordstate app started the supply chain assault. When the malicious update is enabled, it connects to the attacker's servers and downloads malware intended to intercept and deliver the password manager's contents back to the attackers. The attacker's servers were also taken down on April 22, according to the company. However, if the attackers are able to reactivate their infrastructure, Passwordstate users can be at risk.
Employees can exchange passwords and other personal information through their company's network computers, such as firewalls and VPNs, shared email addresses, internal directories, and social media accounts, using enterprise password managers. According to Click Studios, Passwordstate is used by “more than 29,000 customers,” including Fortune 500 companies, federal agencies, banks, military and aerospace companies, and businesses in most sectors.
For the remediation for Passwordstate customers, ClickStudios said, “Customers have been advised to check the file size of moserware.secretsplitter.dll located in their c:\inetpub\passwordstate\bin\ directory. If the file size is 65kb then they are likely to have been affected. They are requested to contact Click Studios with a directory listing of c:\inetpub\passwordstate\bin output to a file called PasswordstateBin.txt and send this to Click Studios Technical Support.”