Enterprise Password Manager Compromised
Last week, Click Studios, the Australian developer of Enterprise password manager Passwordstate, informed customers that cybercriminals had compromised the password manager’s update feature located on Click Studios’ website. Enterprise password managers allow employees to exchange passwords and other confidential information within the company. Click Studios issued an incident management advisory, explaining their findings. “Initial analysis indicates that a bad actor using sophisticated techniques compromised the In-Place Upgrade functionality. The initial compromise was made to the upgrade director located on Click Studios website www.clickstudios.com.au.” Passwordstate’s upgrade director points the In-Place Upgrade to the appropriate version of software located on the company’s content distribution network. However, in this instance, when customers performed the in-place upgrade, they potentially downloaded a malicious file. This initiated a whole process intended to steal confidential information that customers had stored in Passwordstate.
Unknown Number of Customers Affected
It is unknown how many customers might have been affected by this supply chain attack. According to Click Studios, Passwordstate is used by 29,000 customers and 370,000 security and IT professionals worldwide, across various industries. These industries include Fortune 500 companies, large banks, and governmental and defense organizations. Attackers managed to compromise the update mechanism from April 20 to April 22. Consequently, they were able to roll out an infected update among active customers for two days. The compromise existed for approximately 28 hours before it was detected and secured. Click Studios analyzed the compromised data. They found that hackers extracted the following type of sensitive information: computer names, user names, domain names, process IDs, display names and statuses, Passwordstate instance’s Proxy Server Addresses, usernames, passwords, and more.
How Did This Happen and What to Do Next?
How the attackers were able to gain access to the update system has not yet been disclosed. “Our number one priority is preventing the compromise from continuing to be exploited and to work with our customers, identifying if they have been affected and advising them of the required remedial actions.” The company has informed customers via email and has provided a security fix. They also warned affected customers to reset all stored passwords. And especially credentials for VPNs, firewalls, switches, local accounts, or any server passwords. Moreover, Click Studios is liaising with a third party to assist them with an in-depth analysis of the incident and direction for specialist support. The company also confirmed that, at this stage, the number of affected customers appears to be very low. However, this may change when more customers notice something is amiss.