Passwordstate Supply Chain Attack Exposes 29K Companies to the Risk of Compromise

Australian software producer Click Studios has fallen victim to a security breach that resulted in a supply-chain attack. In April 2020, adversaries successfully compromised the upgrade mechanism of Click Studios’ Passwordstate enterprise password management app to deliver Moserpass malware onto the users’ devices. The number of affected customers is currently unknown, however, the vendor claims that the infection rate is very low. Still, the investigation is ongoing, and the final victim count might increase. To date, over 29K companies worldwide rely on Passwordstate to manage its daily processes, including Fortune-500 enterprises, government institutions, and defense agencies.

Supply Chain Attack Details

The official Click Studios statement reveals that the security breach occurred between the 20th of April 2021, 8:33 PM UTC and the 22nd of April 2021, 00:30 AM UTC. Any customers who upgraded the service during this period might have their corporate systems at risk.

According to the research from CSIS Group, a security firm that investigates the attack, malicious actors managed to compromise a director file located on Click Studios website and interfere with the upgrade mechanism of the Passwordstate app. Particularly, hackers modified the update with a malicious “Moserware.SecretSplitter.dll” library that was inserted with the help of a small piece of code dubbed “Loader.” As a result, the regular update delivered Moserpass malware to victims in the form of a “Passwordstate_upgrade.zip” file. Notably, the rough DLL relied on a Content Delivery Network (CND) that was terminated on 22nd of April 2021, 7 AM UTC.

Moserpass Malicious Functionality

Upon infection, Moserpass malware is able to collect sensitive system and Passwordstate data, which is further sent to the command-and-control (C&C) server under the attacker’s control. Specifically, this piece of malicious software dumps such details as computer name, user name, domain name, current process name, current process ID, all running services mane, Passwordstate installation’s Proxy Server Address, Passwordstate credentials, and more. However, the Domain Name and Host Name are not collected as a part of this malicious process. Also, there is no evidence of encryption keys or database connection strings being transferred to the attacker’s C&C. After gathering and uploading data, Moserpass malware sleeps for 24 hours and restarts its malicious activity.

It is worth noting that those customers who have their Passwordstate credentials encrypted are considered safe since Moserpass has no capabilities to harvest such data.

Detection and Mitigation

Click Studios urges its customers to initiate a password change as soon as possible. Also, the vendor has issued a detailed advisory providing relevant mitigation steps. 

To detect possible malicious activity and protect your organizational infrastructure, SOC Prime’s customers can download a set of the latest detection rules published in Threat Detection Marketplace. All content is directly mapped to the MITRE ATT&CK® framework and contains the corresponding references and descriptions:

• Identify Possible Compromised PasswordState Software [Supply chain attack] (via cmdline)
• Identify Possible Compromised PasswordState Software [Supply chain attack] (via image_load)
• Identify Possible Compromised PasswordState Software [Supply chain attack] (via proxy)

Subscribe to Theat Detection Marketplace for free to boost your cyber defense capabilities. Our SOC content library contains over 100K detection and response rules, parsers, search queries, and other relevant SOC content so you can withstand the growing number of cyber-attacks. Keeping a close eye on the latest cybersecurity trends and want to participate in threat hunting activities? Take a chance to contribute to the world’s safety by joining our Threat Bounty Program.

Go to Platform Join Threat Bounty