Passwordstate Update Compromised in a Supply Chain Attack to Deliver Malware

Passwordstate, an enterprise password manager’s software update, was allegedly malformed by a threat actor to infect thousands of companies using it. The maker of Passwordstate, Click Studios, informed its customers that hackers have compromised Passwordstate’s update mechanism and thus pushed an infectious update to customers having malware in it.

Passwordstate’s Infectious Update

Supply chain attacks are highly reliable and the most complex attacks in the cybersecurity space. This includes targeting one element of an ecosystem (like an internal employee), compromising his credentials and getting access to the whole network, and impacting their clients ultimately.

They’re hard to detect and can cause extreme damage since well rooted into the network before being realized. One such attack was reported by Click Studios, where the update mechanism of its famous Passwordstate is compromised for a supply chain attack.

???? Manager haseł PasswordState został zhackowany a komputery klientów zainfekowane.

Producent informuje ofiary e-mailem.

Ten manager haseł jest "korporacyjny", więc problem będzie dotyczyć przede wszystkim firm… Auć!

(Informacja od Tajemniczego Pedro) pic.twitter.com/PGHhmEKpje

— Niebezpiecznik (@niebezpiecznik) April 23, 2021

Passwordstate is an Enterprise Password Management solution based on the web and used by teams of people within a workplace. Accessible users can share sensitive password resources among them, with admins’ ability to set access levels for all users. As per Click Studios, Passwordstate is used by over 370,000 professionals in 29,000 companies.

Yesterday, Click Studios sent alerting emails to its customers with a subject title as “Confirmation of Malformed Files and Essential Course of Action.” In its email, Click Studios said that any update received and installed by Passwordstate customers between “20th April 8:33 PM UTC and 22nd April 0:30 AM UTC had the potential to download a malformed Passwordstate_ipgrade.zip.”

Hackers have added a loader to the update, which was sent after compromising the update mechanism for a brief two days. The loader has the ability to procure the next level payload, which is named Moserware, that can record and send the system information and Passwordstate data to the hacker’s C2.

Click Studios has advised users to reset all the passwords in their Passwordstate database for good and install a hotfix to remove the malware from the infectious update system. Also, the indicators of compromise were released to detect the hack.