Password Manager Passwordstate Hacked to Deploy Malware

upnorth

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Content source
https://therecord.media/password-manager-passwordstate-hacked-to-deploy-malware-on-customer-systems/
A mysterious threat actor has compromised the update mechanism of enterprise password manager application Passwordstate and deployed malware on its users’ devices, most of which are enterprise customers. Click Studios, the Australian software firm behind Passwordstate, has notified its 29,000 customers earlier today via email.
Click to expand...
Danish security firm CSIS, which dealt with the aftermath of this supply chain attack, published today an analysis of the attacker’s malware. The security firm said the threat actor forced the Passwordstate apps to download an additional ZIP file named “Passwordstate_upgrade.zip” that contained a DLL file named “moserware.secretsplitter.dll.” After installation, this DLL file would ping a remote command and control server, from where it would request new commands and retrieve additional payloads. Unfortunately, once the intrusion was discovered, the attackers immediately took down their C&C server, which has prevented investigators from discovering what additional payloads and other actions the attackers performed.
Click to expand...
Since this is a password manager is sold primarily in bulk to enterprises, to whom it is advertised as an on-premises system, changing passwords won’t involve just email and website accounts, but also passwords for internal gear such as firewalls, VPNs, switches, routers, network gateways, and others, which many employees would most likely have saved inside the app thinking it was a secure local storage system.
Click to expand...
therecord.media

Password manager Passwordstate hacked to deploy malware on customer systems

A mysterious threat actor has compromised the update mechanism of enterprise password manager application Passwordstate and deployed malware on its users\' devices, most of which are enterprise customers.
therecord.media therecord.media
 
  • Like
  • +Reputation
  • Wow
Reactions: CyberTech, ForgottenSeer 85179, silversurfer and 6 others
TairikuOkami

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,479
The security firm said the threat actor forced the Passwordstate apps to download an additional ZIP file named “Passwordstate_upgrade.zip
Click to expand...
This is the reason, why I allow apps and MS processes to connect only to their IPs, there is no such thing as a trusted app. I am eternally thankful to the CCleaner for the idea. 😅
 
  • Like
  • Applause
Reactions: dinosaur07, Venustus and Oxygen
The_King

The_King

Level 12
Verified
Top Poster
Well-known
Aug 2, 2020
542
TairikuOkami said:
This is the reason, why I allow apps and MS processes to connect only to their IPs, there is no such thing as a trusted app. I am eternally thankful to the CCleaner for the idea. 😅
Click to expand...
Please advise how you go about restricting Apps to connect to their IP addresses only? Thanks
 
Last edited:
  • Like
Reactions: Venustus
TairikuOkami

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,479
Opc9 said:
Please advise how you go about restricting Apps to connect to their IP addresses only? Thanks
Click to expand...
malwaretips.com

Advanced Plus Security - TairikuOkami's Configuration 2021

Unfortunately, it still takes about 5 secs when opening a custom image or a random webpage. I can not move it easily to ramdisk, like I did with Yandex. :cautious:
malwaretips.com malwaretips.com

It might look as an impossible task, but it is just a pain to setup in the beginning. Like when I was restricting svchost.exe, I was like, this can not be done, but it works, mostly. :sneaky:
You have to ask yourself, what do you want to restrict and how much. Like my browser is allowed to connect via port 443 only, that itself blocks most exploits, those using port 80.

The advantage is eg cloud apps will not upload files elsewhere or an email client will not send login credentials to some random IP, svchost is the most obvious choice malware uses, because it is allowed even in enterprises. But it is worth mentioning that windows firewall is limited, it will not block process hijacks, so lets say a malware connects via browser.exe, the IP limitation will not apply, only the port, and if malware has admin rights, it can simply create rules for itself. Zone Alarm and Comodo can block those hijacks though.
 
  • Like
Reactions: Venustus and The_King
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
New ZenRAT Malware Targeting Windows Users via Fake Password Manager Software
Replies
0
Views
1,140
News Archive
silversurfer
silversurfer
Viking
    • Like
    • +Reputation
    • Wow
Security News Deepfake scam targets password manager LastPass
Replies
1
Views
837
Security News
entropism
E
Brownie2019
    • Like
Unlimited Giveaway aiseesoft iPhone Password Manager
Replies
0
Views
375
Giveaways, Promotions and Contests
Brownie2019
Brownie2019

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top