By security practitioners, for security practitioners innovate | novacoast federal | novaSOC | novacoast
By security practitioners, for security practitioners

Passwordstate Users Delivered Malware Via Automatic Update

Password management app Passwordstate suffered a supply chain attack that allowed attackers to push malware out to users by hijacking its automatic update mechanism, allowing potential harvesting of password data.

Customers of Passwordstate should change critical passwords ASAP.


What’s the nature of the breach?

Click Studios, developer of Passwordstate, saw their in-place automatic update mechanism compromised by attackers.

Similar to other supply chain attacks, the attackers utilized the application’s automatic update feature to push malware out to users’ machines. In a time window from April 20 8:33 PM UTC to April 22 0:30 AM UTC, any client executing the automatic update was delivered a compormised update file with a malware payload.

Users who had disabled automatic update or update manually are not at risk.

An infected machine was observed contacting what is believed to be a command and control (C2C) server, which has since gone offline.

CSIS Security Group, who dealth with the breach, and has dubbed the malware attack “Moserpass,” stated:

Initial analysis indicates that a bad actor using sophisticated techniques compromised the In-Place Upgrade functionality. The initial compromise was made to the upgrade director located on Click Studios website www.clickstudios.com.au. The upgrade director points the In-Place Upgrade to the appropriate version of software located on the Content Distribution Network. The compromise existed for approximately 28 hours before it was closed down. Only customers that performed In-Place Upgrades between the times stated above are believed to be affected. Manual Upgrades of Passwordstate are not compromised. Affected customers password records may have been harvested.

 

Who is affected? 

Users who performed in-place upgrade of Passwordstate between 20th April 2021 8:33 PM UTC and 22nd April 2021 0:30 AM UTC are potentially affected. Tests for compromise are outlined below.
 

What’s the risk?

Passwords are the lynch pin of most organizations’ security. While password managers mostly reduce risk by allowing complex and unique passwords, it does create a single point of failure should the master password be compromised. 

Passwordstate as a solution is positoned as an overarching password management for the enterprise, touching multiple critical areas such as Active Directory, access control, and multifactor authentication.

With passwords to multiple assets compromised, an entire organization is up for grabs. If the organization manages other organizations’ security data, the damage can be cascading.

 
How can I mitigate/remediate?

If you are an administrator of a Passwordstate installation and think you might be affected by the attack, there are steps to take. This is diectly from the Click Studios advisory linked in Resources at the bottom of this email. 
 

Determine if you’re affected:

Check the file size of moserware.secretsplitter.dll located in c:inetpubpasswordstatebin . If the file size is 65kb then it is likely to have been affected.

Affected users are requested to contact Click Studios with a directory listing of c:inetpubpasswordstatebin output to a file called PasswordstateBin.txt and send this to Click Studios Technical Support.
 

IOCs

  • Malicious dll:
    f23f9c2aaf94147b2c5d4b39b56514cd67102d3293bdef85101e2c05ee1c3bf9
    Moserware.SecretSplitter.dll
  • User-Agent:
    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36
  • C&C:
    https://passwordstate-18ed2.kxcdn[.]com/upgrade_service_upgrade.zip

    In fact the complete URL would be something like:

    https://passwordstate-18ed2.kxcdn[.]com/upgrade_service_upgrade.zip?id=132636829278221866 where the value “132636829278221866” is the actual UTC time. The value here is equal to: GMT: Friday, April 23, 2021 8:22:07 PM.
     
  • Additional C&Cs:
    • passwordstate-18ed0.kxcdn[.]com
    • passwordstate-18ed1.kxcdn[.]com
    • passwordstate-18ed4.kxcdn[.]com
    • passwordstate-18ed5.kxcdn[.]com
    • passwordstate-8665.kxcdn[.]com

If affected, users should:

  1. Download the advised hotfix file
  2. Use PowerShell to confirm the checksum of the hotfix file matches the details supplied
  3. Stop the Passwordstate Service and Internet Information Server
  4. Extract the hotfix to the specified folder
  5. Restart the Passwordstate Service, and Internet Information Server

Once this is done it is important that customers commence resetting all Passwords contained within Passwordstate. These may have been posted to the bad actor’s CDN network. Click Studios recommends prioritizing resets based on the following;

  1. All credentials for externally facing systems, i.e., Firewalls, VPN, external websites etc.
  2. All credentials for internal infrastructure, i.e., Switches, Storage Systems, Local Accounts
  3. All remaining credentials stored in Passwordstate

Still have questions?

Contact your SOC Lead, or call the Novacoast SOC at (866) 863-9575 to speak with our briefed technicians who can advise and assist you.

References

CSIS Security :
https://www.csis.dk/newsroom-blog-overview/2021/moserpass-supply-chain/ (link since removed by CSIS)

Click Studios official advisory:
https://www.clickstudios.com.au/advisories/default.aspx

Previous Post

SonicWall Email Security Products Target of Zero-Day Exploits

Next Post

macOS 11.3 Update Patches Anti-Malware Bypass Zero-Day

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.