Enterprise password manager Passwordstate hit by supply chain attack

Passwordstate, a password manager for businesses, has been hit by a supply chain attack. The attackers were in the software’s supply chain for about 28 hours, but it’s unknown how many of the more than 29,000 customers were affected.

The Danish security company CSIS Group, among others, writes about the attack. The attackers broke into developer ClickStudios’ systems and posted a software update for the self-hosted password manager. That fake update contained a modified version of “Moserware.SecretSplitter.dll,” with an onboard “Loader” that contacted a server owned by the attackers. There, the malware would retrieve the payload, but it’s unknown what would be inside; CSIS was unable to obtain it because the server is already offline.

ClickStudios has an unknown number of customers by email informed and will go public with a public message. In that message, it states that the malware would send usernames, passwords and a list of running processes to the attackers’ server, among other things. The report also states that it “appears very few customers have been affected, although that may change with new information.” The attackers would not have entered ClickStudios using stolen or weak passwords.

The Australian company is releasing a hotfix to replace the infected file. It also recommends replacing all passwords on Internet-exposed systems, internal infrastructure, and all passwords stored in Passwordstate.