Password Manager Passwordstate Hacked to Deploy Malware

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,440
A mysterious threat actor has compromised the update mechanism of enterprise password manager application Passwordstate and deployed malware on its users’ devices, most of which are enterprise customers. Click Studios, the Australian software firm behind Passwordstate, has notified its 29,000 customers earlier today via email.
Danish security firm CSIS, which dealt with the aftermath of this supply chain attack, published today an analysis of the attacker’s malware. The security firm said the threat actor forced the Passwordstate apps to download an additional ZIP file named “Passwordstate_upgrade.zip” that contained a DLL file named “moserware.secretsplitter.dll.” After installation, this DLL file would ping a remote command and control server, from where it would request new commands and retrieve additional payloads. Unfortunately, once the intrusion was discovered, the attackers immediately took down their C&C server, which has prevented investigators from discovering what additional payloads and other actions the attackers performed.
Since this is a password manager is sold primarily in bulk to enterprises, to whom it is advertised as an on-premises system, changing passwords won’t involve just email and website accounts, but also passwords for internal gear such as firewalls, VPNs, switches, routers, network gateways, and others, which many employees would most likely have saved inside the app thinking it was a secure local storage system.
 

TairikuOkami

Level 31
Verified
Content Creator
May 13, 2017
2,046
The security firm said the threat actor forced the Passwordstate apps to download an additional ZIP file named “Passwordstate_upgrade.zip
This is the reason, why I allow apps and MS processes to connect only to their IPs, there is no such thing as a trusted app. I am eternally thankful to the CCleaner for the idea. 😅
 

The_King

Level 10
Verified
Aug 2, 2020
457
This is the reason, why I allow apps and MS processes to connect only to their IPs, there is no such thing as a trusted app. I am eternally thankful to the CCleaner for the idea. 😅
Please advise how you go about restricting Apps to connect to their IP addresses only? Thanks
 
Last edited:
  • Like
Reactions: venustus

TairikuOkami

Level 31
Verified
Content Creator
May 13, 2017
2,046
Please advise how you go about restricting Apps to connect to their IP addresses only? Thanks

It might look as an impossible task, but it is just a pain to setup in the beginning. Like when I was restricting svchost.exe, I was like, this can not be done, but it works, mostly. :sneaky:
You have to ask yourself, what do you want to restrict and how much. Like my browser is allowed to connect via port 443 only, that itself blocks most exploits, those using port 80.

The advantage is eg cloud apps will not upload files elsewhere or an email client will not send login credentials to some random IP, svchost is the most obvious choice malware uses, because it is allowed even in enterprises. But it is worth mentioning that windows firewall is limited, it will not block process hijacks, so lets say a malware connects via browser.exe, the IP limitation will not apply, only the port, and if malware has admin rights, it can simply create rules for itself. Zone Alarm and Comodo can block those hijacks though.
 
Top