Click Studios, a software development company that offers active and effective solutions for companies, has suffered a security breach between 20th and 22nd of April targeting users of the company’s password manager, PasswordState. PasswordState is a password management solution that provides customers with role-based administration, end-to-end event auditing, 256bit AES data encryption, code obfuscation and enterprise scalability.

______________________________

A. Nature of the Attack

Description of the attack:

From April 20 – 22, 2021, threat actors have compromised the In-Upgrade functionality in Click Studios’ official website, wherein they alter the original location of the upgrade file to a malicious ZIP file hosted on an attacker-controlled-server outside of the company’s infrastructure. During this time, any user who used the In-Upgrade functionality to update PasswordStateare affected by the attack.

The malicious ZIP file will download and execute malicious files from the attacker-controlled-server that has the capability to harvest and extract the following information to the attacker’s infrastructure:

  • Computer Name
  • User Name
  • Domain Name
  • Current Process Name
  • Current Process Id
  • All running Processes name and ID
  • All running services name
  • Display name and status
  • PasswordState instance’s Proxy Server Address
  • Username and Password

Additionally, attackers have accessed some fields in the PasswordState instance’s password table:

  • Title
  • UserName
  • Description
  • GenericField1
  • GenericField2
  • GenericField3
  • Notes
  • URL
  • Password

______________________________

B. Actions to be Taken

CERT-PH recommends the following actions be taken:

  • Users that update their PasswordState using the In-Place upgrades during the 20th to 22nd of April are highly advised to reset all credentials contained within PasswordState as soon as possible, especially credentials to critical systems that may expose external and internal assets to threat actors.
  • While users who manually update their PasswordState are unlikely to be impacted by the attack, it is still advised to check the file size of moserware.secretsplitter.dll located  in  their c:\inetpub\passwordstate\bin\directory.
    • If the file size of the said DLL is greater than 65kb, it is most likely that the PasswordState is compromised.
  • Users are highly advised to be vigilant in monitoring for any abnormality in system performances and unusual activities from affected assets.
  • For additional information regarding the issue, kindly refer to the official incident management advisory of Click Studios. (https://www.clickstudios.com.au/advisories/Incident_Management_Advisory-01-20210424.pdf)

______________________________

C. Conclusion

In conclusion, organizations and businesses, both private and public, that use Click Studios’ PasswordState and have been affected by must swiftly secure and protect their exposed credentials and assets to minimize the risk of being compromised and perform mitigation steps and additional security measures to exposed assets.