Compromised update mechanism for Passwordstate pushes malware that steals data.
Up to 29,000 users of the Passwordstate password manager downloaded a malicious update that extracted data from the application and sent it to a server controlled by an attacker, the manufacturer of the application told customers.
In an email, the creator of Passwordstate, Click Studios, told customers that malefactors have compromised its update mechanism and used it to install a malicious file on users’ computers. The file, called “moserware.secretsplitter.dll”, contained a legitimate copy of an application called SecretSplitter, along with malicious code called “Loader”, according to a brief article by security company CSIS Group.
The loader code attempts to retrieve the archive archive at https: //passwordstate-18ed2.kxcdn [.] Com / upgrade_service_upgrade.zip so that it can retrieve an encrypted second-stage payload. Once decrypted, the code is executed directly in memory. The Click Studios email said that the code “extracts information about the computer system and selects the Passwordstate data, which is then posted on the evildoers’ CDN network”.
The Passwordstate update commitment lasted from April 20 at 8:33 UTC to April 22 at 12:30 PM. The attacker’s server was shut down on April 22 at 7am UTC.
The dark side of password managers
Security professionals regularly recommend password managers because they make it easier for people to store long, complex passwords that are unique to hundreds or even thousands of accounts. Without the use of a password manager, many people resort to weak passwords that are reused for multiple accounts.
The violation of Passwordstate highlights the risk posed by password managers because they represent a single point of failure that can lead to the compromise of a large number of online assets. The risks are significantly less when two-factor authentication is available and enabled, because the extracted passwords alone are not sufficient to obtain unauthorized access. Click Studios says Passwordstate offers several 2FA options.
The breach is especially worrying because Passwordstate is sold primarily to corporate customers who use the manager to store passwords for firewalls, VPNs and other corporate applications. Click Studios says Passwordstate “is trusted by more than 29,000 customers and 370,000 security and IT professionals worldwide, with an installed base spanning from the largest companies, including many Fortune 500 companies, to the smallest IT stores ”.
Another supply-chain attack
Passwordstate’s commitment is the latest high-profile attack on the supply chain that has surfaced in recent months. In December, a malicious update to the SolarWinds network management software installed a backdoor on the networks of 18,000 customers. Earlier this month, an updated developer tool called Codecov Bash Uploader extracted secret authentication tokens and other sensitive data from infected machines and sent them to a remote site controlled by hackers.
The first-stage payloads uploaded to VirusTotal here and here showed that, at the time this post was airing, none of the 68 monitored endpoint protection programs detected the malware. Researchers have so far been unable to obtain samples of the subsequent payload.
Anyone using Passwordstate must immediately reset all stored passwords, especially those for firewalls, VPNs, switches, local accounts and servers.
Representatives from Click Studios did not respond to an email requesting comments on this post.