Security experts recommend as part of security best practices to use a password manager. However, the last thing they expect is for that password manager to be compromised by an attack. Australia's ClickStudios password manager recently experiences such a breach.
Threat researchers from CSIS Security Group reported that the company ClickStudios was attacked between April 20 and April 22. The hackers uploaded a malicious update to its password manager with malware inside, "Passwordstate." According to the notice posted on April 23, the attackers used a Zip file with a dynamic link library ("moserware.secretsplitter.dll") laced with malicious code.
CSIS Security Group commented that "The malicious code tries to contact [a URL] in order to retrieve an encrypted code. Once decrypted, the code is executed directly in memory."
Threat researchers dubbed the malware "Moserpass," which contacts a command-and-control server to execute additional commands. Before researchers could investigate further, the command server was shut down. They did comment that the code was small, less than 4KB of data.
SentinelOne researcher Juan Andres Guerrero-Saade posted on Twitter, "At a glance, the Loader has the functionality to pull a next stage payload from the [command and control server]. "There's also code to parse the 'PasswordState' vault's global settings (Proxy UserName/Password, etc.) about the incident"
How Did ClickStudios Respond?
ClickStudios could not be reached for a comment about the attack. So, at this point, it is unknown how many customers that use Passwordstate may have downloaded the malicious update. ClickStudios does boast of serving more than 29,000 individuals and 370,000 security and IT companies worldwide. The tool is used as a vault for passwords and to share "sensitive password resources."
The ClickStudios website contained a message to customers saying:
"At Click Studios, we take the privacy of our customers very seriously. Many have expressed the wish to keep private that they have selected Passwordstate to protect their credentials. As much as we would like to advertise all our customers on our website, we hope you can appreciate us honouring their wishes and keeping this information private and confidential."
Threat experts are calling the incident another supply chain attack. Hackers are targeting companies and data repositories that provide them access to a wide variety of individual users. The attack is one on a long line of supply chain attacks following the SolarWinds Orion attack. Along with them, Microsoft Exchange, Accellion, and Codecov have recently been targeted with breaches to access thousands of end-users. Some of these recent attacks are still sending shockwaves of damage through the industry.
Is it Safe to Use a Password Manager?
It is widely recommended that individuals and companies use password managers to keep and store very strong passwords for all devices, systems, and logins. However, are these programs safe?
As with most things, password managers are not all the same. Many do not store customers' passwords on their own database structure. They use other cloud systems or encrypted data servers. Some run locally on the users' machine only.
The key to keeping your online life safe is to do your research. Read reviews and delve deeply into the inner workings of the password manager you choose. Before signing up, find out how your data will be collected, stored, and used. In this world full of hackers and ransomware, you cannot be too careful. Consult IT experts and what programs they recommend for storing your most critical and sensitive passwords. To keep your private information secret, you must be your own advocate and check everything. Keep a close eye on your home and office network. Use good, strong antivirus and keep everything updated with the latest security patches.
In the event of a data breach, change all your passwords immediately.