Beware: Passwordstate Password manager update hijacked

Click Studios, the Australian software company behind the Passwordstate password management application, has notified customers that their passwords must be reset.


A bad actor used sophisticated techniques to hack the software’s update function and use it to drop malware on consumer machines, according to the Adelaide-based company.


The violation is said to have occurred between 8:33 p.m. UTC on April 20 and 0:30 a.m. UTC on April 22, a total of 28 hours.


In an advisory, the company reported that “only customers that performed In-Place Upgrades between the times stated above are believed to be affected”.


” The security of Passwordstate’s manual upgrades is not jeopardized. It’s possible that the password histories of affected customers have been harvested”.


The Polish tech news site Niebezpiecznik was the first to report on the news. It’s unclear who the attackers are or how they gained access to the password manager’s update function.


The incident is still being investigated by Click Studios, but “the number of affected customers appears to be very limited”, according to the company.


Also read: Apple bug allows hackers to steal phone numbers and email addresses from AirDrop users


Passwordstate is an on-premise web-based password management service that allows companies to securely store passwords, incorporate the solution into their applications, and reset passwords across a variety of systems.


Several Fortune 500 firms, as well as 29,000 customers and 370,000 security and IT professionals around the world, use the app, which spans verticals such as banking, insurance, protection, government, education, and manufacturing.


The malware-laced update came in the form of a ZIP archive file called “Passwordstate,” which included a modified version of a library called “moserware.secretsplitter.dll,” according to an initial review shared by Denmark-based security firm CSIS Group (VirusTotal submissions here and here).


You might also like: Beware: Ficker-info stealing malware is pretending to be Microsoft Store


This file then connected to a remote server to download a second-stage payload (“upgrade service”) that extracted Passwordstate data and sent it back to the attacker’s CDN network.


The server was taken offline on April 22 at 7:00 a.m. UTC, according to Click Studios.


Computer name, username, domain name, current process name, current process ID, names and IDs of all running processes, names and IDs of all running services, display name and status, Proxy Server Address of Passwordstate instance, usernames and passwords are all included in the list of compromised data.


Customers may download a hotfix package from Click Studios that will help them uninstall the attacker’s tampered DLL and replace it with a legitimate version.


Businesses should also reset all credentials associated with external facing systems (firewalls, VPNs), internal infrastructure (storage systems, local systems), and all other passwords held in Passwordstate, according to the company.