Click Studios which is a popular name behind the Passwordstate enterprise password manager suffered from a supply chain attack. The threat actors compromised the app’s update mechanism to spread malware in the supply chain attack after breaching the network.
An email notification regarding the attack was sent to the users and they were advised to take precautionary measures. The breach lasted for about 28 hours and occurred between April 20, 8:33 PM UTC, and April 22, 0:30 AM UTC. The Polish news site Niebezpiecznik also posted the email on their official email account.
The Australian software company in a statement revealed that the bad actors used advanced tactics to compromise the software’s update mechanism. Later, it used the mechanism to distribute malware on the customers’ system to mine data. The compromised information includes the following data:
- Domain name
- Access control
- Active directory
- Computer name
- User name
- Current process name
- Display name and status
- Names of all running devices
- Passwordstate Proxy server address and passwords
Researchers at the CSIS Security Group were the first who revealed the attack. They published the indicators of the attack which they have dubbed Moserpass. The security group claimed that the attack occurred by using a malicious update via a zip file named Passwordstate_upgrade.zip that also included a malicious DLL, moserware.secretsplitter.dll.
The Adelaide-based company is a web-based solution used by businesses to store passwords in a secure manner, password management, password reset, and integrating the solution into their applications. 29,000 customers and 370,000 security and IT experts use this software all across the world.
To minimize the effect of the attack, the company released a hotfix to help the users to remove the malware from their systems.
Besides this, the company also recommended the customers’ reset all their credentials that are associated with both external and internal infrastructure. It includes VPN, firewalls, storage systems, and other passwords stored in the Passwordstate.