Hackers Inject Malware Into Widely-Used Password Management App
Companies around the globe are scrambling to update critical credentials this weekend.
The reason: the popular password management app Passwordstate fell victim to hackers, who injected malware via the app’s update mechanism.
Click Studios, the developer of Passwordstate, alerted its customers about the incident late this week immediately after it was discovered. The email noted that the breach occurred between April 20 and 22.
During that time, the attackers “[used] sophisticated techniques” to insert a malicious file alongside legitimate Passwordstate updates. At this point in time it appears as though the malicious update did indeed make its way onto Passwordstate users’ computers.
Full Impact Difficult To Assess
In its online Passwordstate brochure, Click Studios reports “Empowering more than 29,000 Customers and 370,000 Security & IT Professionals globally.” With numbers like those in play, it could take weeks or even months before the full impact of the breach is known.
Even at a small or medium organization, IT staff manage dozens if not hundreds of credentials for services and devices.
“Affected customers password records may have been harvested,” states the breach notification (PDF link). Indeed, users would do well to assume the worst even though there are some mitigating factors.
Click Studios notes that the malicious activity spanned 28 hours. Customers who did not receive an automatic update during that name should not be affected. Likewise, users who perform updates manually should be safe.
The downside is that those groups could be fairly small. Keeping software fully updated is supposed to be one of the cornerstones of good security, after all. We’ve grown to rely on automatic update systems to take the hassle out of the process for us.
Security researchers at the Denmark-based CSIS Group detected the rogue file on a system during an investigation. Once it had been delivered to a victim’s computer, the file would attempt to establish communications with a remote server to download additional malicious components.
Automatic Updates Become a Double-Edged Sword
Automatic updates are great, when they perform as expected. When they don’t, however, there’s tremendous potential for trouble.
Somtimes it’s as innocuous as a handful of documents that refuse to print. Others, it might be an antivirus update that renders your computer unable to boot at all. And sometimes it might give hackers the keys to your corporate password fault. Here’s hoping the malware in this incident was able to dig that deep.
Either way, this is a clear illustration of why elite — often state-sponsored — hackers choose to target these systems in supply chain attacks. Why go after just one corporate target when a well-placed attack on a provider can provide access to hundreds or even thousands of networks?