PasswordState Password Manager Supply Chain Attack Delivers Password-Stealing Malware

Password managers can greatly improve security. They help users create strong, difficult-to-guess passwords and store them in a secure vault. With a password manager, users do not have to remember their complex passwords, so they solve one of the most common password problems that can greatly reduce security – password reuse on multiple accounts. All users need to do is set and remember a single complex password to access their vault.

One problem with password managers is while they can improve security, the password vaults will be housed on a third-party server, so users are reliant on the security of the solution provider, although some providers offer a self-hosted solution. Many businesses feel more comfortable with this option and are confident in their ability to secure their own environments.

PasswordState from Click Studios is a self-hosted rather than cloud-hosted password management solution. While this can be more secure than a cloud-hosted solution, that does not mean breaches will not occur. Recently some users of the PasswordState solution discovered they had inadvertently installed malware when they installed a PasswordState update.

Between 4:33 pm ET on April 20 and 7 pm ET on April 21, 2021, PasswordState customers who installed an update received malware capable of exfiltrating password data, information on running processes, system configurations, and other sensitive data. The malware was configured to collect and exfiltrate data once a day.

Normally, the updater downloads additional files for PasswordState from Click Studio’s content delivery network (CDN) and performs the update; however, a threat actor had successfully compromised the in-place updater on Click Studio’s servers and modified it to also grab additional files from a third-party CDN – credential stealing malware.

It took Click Studios 28 hours to discover the breach, during which time the malware had been delivered to its customers. Fortunately, the small window of opportunity restricted the number of affected customers. Click Studios quickly addressed the problem and issued a hotfix to remove the malware and malicious files but since passwords were obtained, affected customers had to change all of their passwords. Click Studios said only “a small number” of customers had been affected.

Some customers were unhappy with the breach and took to social media networks to complain, with some also sharing photographs of the notifications they received from Click Studios. This gave the threat actor behind the campaign another opportunity.

The threat actor behind the attack was monitoring social media networks and used the information in the breach notice to craft a phishing campaign using the official Click Studio’s breach notification as a template with links to download a modified hotfix. Instead of getting the hotfix to remove malware, they received a modified hotfix that downloaded files from a CDN not under the control of Click Studios, which was used to deliver credentials stealing malware.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.