Security Alert: Supply Chain Attack Targets Passwordstate Users
Click Studios, an Australian software provider, has issued an urgent notice for clients of its password management solution, Passwordstate, to reset their passwords following a detected breach attributed to a supply chain attack. The Adelaide-based firm reported that the attack exploited sophisticated techniques to infiltrate its software update mechanism, allowing malware to be deployed onto user systems.
The breach reportedly took place within a narrow window from April 20 at 8:33 PM UTC to April 22 at 0:30 AM UTC, spanning approximately 28 hours. According to Click Studios, only those customers who executed In-Place Upgrades during that specified period are believed to be affected, while manual upgrades appear to remain secure. The company indicated that customer password records may have been compromised during this incident.
Initial reports from the Polish tech publication Niebezpiecznik revealed that the attackers managed to manipulate the update feature, although their identity and methods remain unclear. Click Studios is currently conducting an ongoing investigation and claims the number of impacted users is minimal. Passwordstate itself is a web-based, on-premise solution utilized for comprehensive enterprise password management, aimed at securely storing passwords across various organizational applications. It currently serves approximately 29,000 clients worldwide, including numerous Fortune 500 companies across multiple industries such as finance, education, and manufacturing.
Analysis from CSIS Group, a Denmark-based cybersecurity firm, identified the compromised update as a ZIP file named “Passwordstate_upgrade.zip,” which contained a manipulated version of a critical library titled “moserware.secretsplitter.dll.” This altered file then initiated a connection to an external server to retrieve a second-stage payload that extracted sensitive data from Passwordstate. Click Studios confirmed that this compromised server was taken offline as of April 22 at 7:00 AM UTC.
The extent of the data compromised includes not only account names and usernames but also critical information such as computer names, domain names, active process details, and even service statuses. In response to the breach, Click Studios has provided a hotfix package to assist clients in removing the malicious DLL file and replacing it with a legitimate version. Furthermore, the company is recommending that all organizations reset credentials related to externally facing systems and any credentials stored within Passwordstate.
This incident underscores the rising threat posed by supply chain attacks, a growing concern for businesses that depend on third-party software for operational efficiency. Recent similar attacks have included the infamous December 2020 SolarWinds Orion incident, which affected thousands of customers after a rogue update installed backdoors in their systems. Additionally, the software auditing firm Codecov recently disclosed a backdoor infection that targeted various customer environments, highlighting the increasing complexity and severity of such cybersecurity risks.
Given its critical nature, understanding the tactics employed in this breach is essential for businesses. Likely MITRE ATT&CK tactics include initial access, where attackers exploit vulnerabilities to gain a foothold within networks; persistence, enabling them to maintain their foothold post-initial access; and data exfiltration, reflecting the extraction of sensitive information from compromised environments. As Click Studios continues its investigation, it serves as a crucial reminder for businesses to remain vigilant and proactive in securing their systems against evolving threats.
