Passwordstate update delivered Moserpass
Click Studios' Passwordstate in-place updater served a malformed upgrade that loaded Moserpass. The malware harvested system data and selected password records.
Story
Passwordstate was an on-premises enterprise password manager. Its value was also its risk: administrators used it to store firewall, VPN, infrastructure, application, and service credentials. In April 2021, attackers turned its trusted in-place update path into a credential collection path.
Click Studios said the initial compromise modified an upgrade director file on www.clickstudios.com.au. Manual upgrades were not believed affected. In-place upgrades performed between April 20, 2021 at 20:33 UTC and April 22, 2021 at 00:30 UTC could receive a malformed Passwordstate_upgrade.zip from infrastructure not controlled by Click Studios.
The malformed package loaded a modified Moserware.SecretSplitter.dll, about 65 KB in size. That DLL downloaded upgrade_service_upgrade.zip from passwordstate-18ed2.kxcdn.com, decrypted an in-memory .NET assembly, and started a background thread. The payload did not need to break Passwordstate's vault model in the abstract. It ran inside the application environment.
The malware collected host and process details, running services, Passwordstate proxy credentials, and selected password-table fields including title, username, description, notes, URL, generic fields, and password. Click Studios told affected customers to apply a hotfix, stop and restart Passwordstate and IIS, and reset stored passwords, prioritizing externally facing systems first. A later fake-hotfix phishing wave is kept as related context, not as a separate supply-chain artifact, because it was delivered by email rather than Passwordstate's official update path.
Affected Artifacts
- Observed
- 2021-04-20 to 2021-04-22
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Hashes
-
- sha256:502bf5e87e1809e6b2317888fab546aa1d22389922d83bb81a35b602ed12c23e
- sha256:e5ca693512ae940f1058ef2ffb6a3cb560661a9e5b78e9fea7a25dee4c7f65a9
- sha256:3559ef72396bc0bf5e8874cf5710a5aa0eef72c4b27af32e1f72ed5bacf9a271
- +1 more
- Evidence
- distribution: passwordstate-18667.kxcdn.com/passwordstate/upgrades/Passwordstate_upgrade.zip, distribution: updates.clickstudios.com.au/passwordstate/upgrades/Passwordstate_upgrade.zip, mirror: virustotal.com/gui/file/502bf5e87e1809e6b2317888fab546aa1d22389922d83bb81a35b602ed12c23e, file: Passwordstate_upgrade.zip , +13 more
- Affected Passwordstate scope covered in-place upgrades performed between 2021-04-20T20:33Z and 2021-04-22T00:30Z.
- Click Studios said manual upgrades were not compromised and that its own CDN network was not compromised.
- Public reporting cited 29,000 customer organizations and 370,000 security and IT professionals as Passwordstate's exposed customer base, not as confirmed victims.
- The later fake-hotfix phishing campaign is recorded as follow-on context only; it was not delivered through the official Passwordstate update mechanism.
Incident Context
- Motive
- Credential Theft Data Theft
- Cause
- Update Mechanism Compromise
- Transitive
- No
External References
- Passwordstate Incident Management Advisorykryptera.se
- Passwordstate password manager hacked in supply chain attackbleepingcomputer.com
- A supply chain attack compromised the update mechanism of Passwordstate Password Managersecurityaffairs.com
- Hackers backdoor corporate password manager and steal customer dataarstechnica.com
- Passwordstate hackers phish for more victims with updated malwarebleepingcomputer.com
- Phishing Campaign Impersonates Click Studios to Deliver New Moserpass Malware Variantnetsec.news
- Passwordstate Supply Chain Attack Exposes 29K Companies to the Risk of Compromisesocprime.com
- Passwordstate customers complain of silence and secrecy after cyberattacktechcrunch.com
- PasswordState, Password Manager Tool Compromisedncert.gov.ph
Source record: proprietary/passwordstate/meta.yaml