Passwords stored in enterprise password manager Passwordstate may have been “harvested” by attackers who planted a malicious software update file, the application’s developer, Click Studios, has revealed.
As per a Click Studios security advisory (PDF) issued on April 24, the “sophisticated” supply chain attack potentially affects customers who performed an in-place upgrade during the 28-hour period before the vendor disabled the feature.
Manual upgrades were unaffected, said Click Studios.
The vendor has issued a hotfix and advised affected users to reset all passwords stored in the password manager.
High-value target
The incident was first documented in a blog post from Danish infosec firm CSIS Group on April 23, which dubbed the malware ‘Moserpass’.
Enterprise password managers are used to securely store corporate passwords, credentials, secrets, tokens, and keys that grant access to confidential systems and data.
Click Studios says Passwordstate is used by more than 29,000 customers, including Fortune 500 companies and organizations in verticals including banking, utilities, and healthcare.
However, in a second security advisory (PDF) posted yesterday (April 25), the Australian firm maintained that “the number of affected customers still appears to be very low”.
This assessment, however, “may change as more customers supply the requested information”, the company said.
Moserpass attack vectors
Click Studios said the attacker compromised the upgrade director on Click Studios’ website that “points the in-place upgrade to the appropriate version of software located on the content distribution network”.
The Adelaide-based company did not confirm the attack methods involved but indicated that they did not include either abuse of “stolen or weak credentials”.
The second advisory also stated that Click Studios’ “CDN network was not compromised” and that another bulletin independently produced for internal use supported its own “initial analysis”.
Timeline
Upgrades conducted between April 20, 20:33 UTC and April 22, 00:30 UTC put customers at risk of downloading “a malformed Passwordstate_upgrade.zip file”.
The software vendor said it began helping “the small number of customers who were reporting issues with in-place upgrades” on April 21, and alerted customers by email the following day.
Downloading the malicious file set in train a process that culminated in the extraction of passwords and other system information to the attackers’ CDN network.
This included the names of computers, users, domains, current processes, and all running services; current process IDs; all running processes’ names and IDs; display names and statuses; and Passwordstate instances’ proxy server addresses, usernames, and passwords.
Password table fields relayed to the attacker included Title, UserName, Description, GenericField1, GenericField2, GenericField3, Notes, URL, and Password.
“There is no evidence of encryption keys or database connection strings being posted to the bad actor CDN network”, said Click Studios. This means ‘GenericFields’ data is safe where users chose to encrypt these fields.
Mitigation advice
Customers “are likely to have been affected” if the moserware.secretsplitter.dll file within their c:\inetpub\passwordstate\bin\ directory is 65 KB in size, an indication of compromise.
The software developer has, in its latest advisory, provided checksums that can be used to check whether the file is malicious.
“Click Studios is continuing to work with our customers, identifying if they have been affected and advising them of the required remedial actions,” the vendor added.
The Daily Swig has asked Click Studios whether there have been further developments of note in the investigation. We will update the article if and when we hear back.
Source: https://portswigger.net/daily-swig/passwordstate-credentials-potentially-harvested-after-malicious-software-update-injected-into-password-manager
