As many as 29,000 users of the password manager Passwordstate downloaded a malicious update that extracted data from the app and sent it to an attacker-controlled server, the app’s creator told customers.
In a email, Passwordstate’s creator, Click Studios, told customers that attackers compromised the upgrade mechanism and used it to install a malicious file on user computers. The file, named “moserware.secretsplitter.dll,” contained a legitimate copy of an app called SecretSplitter, along with malicious code called “Loader,” according to a brief description from security firm CSIS Group.
The Loader code tries to retrieve the file archive at https://passwordstate-18ed2.kxcdn[.]com/upgrade_service_upgrade.zip so it can retrieve an encrypted second-stage payload. Once decoded, the code is executed directly in memory. The email from Click Studios said the code “extracts information about the computer system and selects Passwordstate data, which is then posted to the bad actors’ CDN network.”
The compromised password status update lasted from April 20 at 8:33 a.m. UTC to April 22 at 12:30 a.m. The attacker’s server was shut down at 07:00 UTC on April 22.
The dark side of password managers
Security professionals regularly recommend password managers because they make it easy for people to store long, complex passwords that are unique across hundreds or even thousands of accounts. Without using a password manager, many people resort to weak passwords that are reused across multiple accounts.
The password state breach underscores the risk posed by password managers, as they represent a single point of failure that can lead to large numbers of online resources being compromised. The risks are significantly reduced when two-factor authentication is available and enabled, as extracted passwords alone are not enough to gain unauthorized access. Click Studios says Passwordstate offers multiple 2FA options.
The breach is especially concerning because Passwordstate is primarily sold to enterprise customers who use the manager to store passwords for firewalls, VPNs and other enterprise applications. Click Studios says Passwordstate is “trusted by more than 29,000 customers and 370,000 security and IT professionals around the world, with an installed base ranging from the largest enterprises, including many Fortune 500 companies, to the smallest IT stores.”
Another attack on the supply chain
The Passwordstate Compromise is the latest high profile supply chain attack to come to light in recent months. In December, a malicious update to SolarWinds’ network management software installed a backdoor on the networks of 18,000 customers. Earlier this month, an updated developer tool, the Codecov Bash Uploader, extracted secret authentication tokens and other sensitive data from infected machines and sent them to a remote site controlled by the hackers.
Phase one payloads uploaded to VirusTotal here and here showed that at the time this post went live, none of the 68 tracked endpoint security programs detected the malware. Investigators have so far been unable to obtain samples from the follow-up cargo.
Anyone using Passwordstate should immediately reset all stored passwords, especially those for firewalls, VPNs, switches, local accounts, and servers.
Click Studios representatives did not respond to an email requesting comment for this entry.