Passwordstate
Passwordstate update pushed Moserpass credential stealer.
Passwordstate's enterprise password manager update mechanism was compromised by an unknown actor. For about 28 hours, it distributed a malicious update containing Moserpass, malware built to exfiltrate system details and stored Passwordstate credential data from the very vault trusted to protect secrets.
- Date
- 2021-04-20 to 2021-04-22
- Category
- Commercial
- Target Surface
- Distribution
- Insertion Phase
- distribution
- Impact
- Credential theft
- Cause
- Update mechanism compromise
What Was Affected
Package
Passwordstate
ComponentApplication
Artifact typebinary archive
Domain typeproject download host
Domain
clickstudios.com.au
Compromised Versions
- Passwordstate In-Place Upgrades performed between Apr 20 20:33 UTC and Apr 22 00:30 UTC, 2021
Incident Context
- Motive
- Credential theft
- Attribution
- Unknown attacker
- Transitive
- No
- User Impact
- 1000
- Observed Duration
- 2 days
Evidence
Compromised Artifacts
- passwordstate-18667.kxcdn.com/passwordstate/upgrades/Passwordstate_upgrade.zip
- updates.clickstudios.com.au/passwordstate/upgrades/Passwordstate_upgrade.zip
Current Artifacts and Analysis
- virustotal.com/gui/file/502bf5e87e1809e6b2317888fab546aa1d22389922d83bb81a35b602ed12c23e
- Original CSIS Group analysis (link dead): https://www.csis.dk/newsroom-blog-overview/2021/moserpass/
- Original ESET IoC link (link dead): https://github.com/eset/malware-ioc/tree/master/moserpass
Indicators and Changes
Hashes
sha256:502bf5e87e1809e6b2317888fab546aa1d22389922d83bb81a35b602ed12c23esha256:e5ca693512ae940f1058ef2ffb6a3cb560661a9e5b78e9fea7a25dee4c7f65a9sha256:3559ef72396bc0bf5e8874cf5710a5aa0eef72c4b27af32e1f72ed5bacf9a271
External References
- https://www.csis.dk/newsroom-blog-overview/2021/moserpass/ # CSIS Group analysis (Link confirmed dead, needs alternative)
- https://www.bleepingcomputer.com/news/security/passwordstate-password-manager-breached-via-supply-chain-attack/ # (Link confirmed dead, needs alternative)
- https://socprime.com/blog/passwordstate-supply-chain-attack-exposes-29k-companies-to-the-risk-of-compromise/ # (Link confirmed dead, needs alternative)
- https://www.clickstudios.com.au/passwordstate-supply-chain-attack-information.html # Original vendor advisory page (Link confirmed dead/server error, needs alternative)
Source Data
Source record: proprietary/passwordstate/meta.yaml