An attacker last week compromised the update functionality for the Passwordstate enterprise password manager and inserted a malicious DLL into an update that enabled the attacker to harvest sensitive data, including usernames and passwords, from affected customers.
The malicious update was available to customers for about 28 hours between April 20 and April 22 and Click Studios, the company that makes Passwordstate, said any customer that performed an in-place upgrade of the software during that time is potentially affected.
“Initial analysis indicates that a bad actor using sophisticated techniques compromised the In-Place Upgrade functionality. The initial compromise was made to the upgrade director located on Click Studios website www.clickstudios.com.au. The upgrade director points the In-Place Upgrade to the appropriate version of software located on the Content Distribution Network,” an incident response advisory from Click Studios says.
“The compromise existed for approximately 28 hours before it was closed down. Only customers that performed In-Place Upgrades between the times stated above are believed to be affected. Manual Upgrades of Passwordstate are not compromised. Affected customers password records may have been harvested.”
The malware that’s installed on machines with the malicious update collects an array of information that it then sends back to its command-and-control server on an outside CDN. The information collected includes a variety of data about the machine, such as the computer name, user name, domain name, and current processes that are running. The malware also copies the proxy server address for the Passwordstate instance.
“When the In-Place Upgrade capability processes the malformed Passwordstate_upgrade.zip a modified moserware.secretsplitter.dll, with a size of 65kb, is loaded. This subsequently downloads an additional file upgrade_service_upgrade.zip file from a bad actors CDN network, starts a new background thread, converts the upgrade_service_upgrade.zip to a .NET assembly only stored in memory and begins processing,” the advisory says.
“The process extracts information about the computer system, and selects Passwordstate data, which is then posted to the bad actors CDN network.”
Researchers at CSIS Group in Denmark investigated an incident involving the malicious update and analyzed the malware, which it named Moserpass.
“The rogue dll that we discovered was the dll named ‘Moserware.SecretSplitter.dll’ that was injected/modified with a malicious code snippet. A small code ‘Loader’ was added to the original dll,” the CSIS Group analysis says.
The Passwordstate incident is the latest supply-chain compromise to emerge in what has become a steady stream of such attacks. The most prominent and damaging example is the SolarWinds breach from late 2020, but there have been several less flashy ones, as well. Earlier this month, the Codecov bash uploader tool was compromised, for example.
Click Studios said that the compromise of the update functionality was not the result of stolen credentials, but did not specify how the attacker gained access to the system. The company did not provide an estimate for the number of customers affected by the malicious update, either.