Passwordstate, a password manager for businesses, has been hit by a supply chain attack . The attackers were in the software supply chain for about 28 hours, but how many of the more than 29,000 customers were affected is unknown.
The Danish security company CSIS Group, among others, writes about the attack. The attackers broke into the systems of developer ClickStudios and installed a software update for the self-hosted password manager . That spoofed update contained a modified version of “Moserware.SecretSplitter.dll,” with a “Loader” on board that contacted a server controlled by the attackers. There the malware would retrieve the payload , but it is unknown what might be in it; CSIS was unable to obtain it because the server is already offline.
ClickStudios has notified an unknown number of customers by email and is making a public announcement . In that message, it states that the malware would send usernames, passwords, and a list of running processes to the attackers’ server, among other things. The message also states that it “appears that very few customers have been affected, although this may change with new information.” The attackers would not have entered ClickStudios using stolen or weak passwords.
The Australian company has released a hotfix to replace the infected file. It also recommends replacing all passwords on systems exposed to the internet, internal infrastructure and all passwords stored in Passwordstate.