Supply chain attack on password manager: Attack pattern from SolarWinds again!
by Svenja Koch
The supply chain attack pattern, which had already hit the company SolarWinds at the end of 2020, seems to be continuing successfully: More and more frequently, cybercriminals are trying to gain access to the computers and thus the data of their victims by infiltrating code into legitimate software. For example, there was recently a supply chain attack on the software manufacturer Click Studios and its password manager Passwordstate. In this case, the attackers managed to infiltrate malicious code via an update in order to steal passwords and other confidential data.
Click Studios first informed its customers about the attack, which took place between 20 and 22 April 2021, last Friday: It involved using the update mechanism to delete a malicious update via a zip file "Passwordstate_upgrade.zip" containing a fraudulent DLL "moserware.secretsplitter.dll". The company mentions that the C&C of the rogue DLL used a CDN (Content Delivery Network) that was terminated on 22 April 2021 at 7:00 UTC. It is assumed that the malware "Moserware", has siphoned off confidential information including existing passwords.* Passwordstate users who applied an update during the aforementioned period should therefore assume that their environment has been infiltrated and their system information as well as password data is considered compromised: This should include computer, user, domain and current process name, current process ID, name and ID of all running processes as well as user name and password. In addition, there are further fields in the password table of the Passwordstate instance. *https://www.csis.dk
The domain name and host name would not be extracted. There is so far "no indication that encryption keys or database connection strings were sent to the hackers' CDN network", according to Click Studios.
Recommendations for action
Click Studios is advising Passwordstate users to immediately reset all their passwords if they downloaded the "Passwordstate_upgrade.zip" upgrade in the 28 hours between April 20, 8.33 PM UTC and April 22, 0.30 AM UTC. "Only customers who performed in-place upgrades between the above dates are believed to be affected and their Passwordstate password data may have been tapped," the company said.
Click Studios provides more information on this in an advisory pdf.