SolarWinds may have been a proof-of-concept of how effective a supply chain attack can be.
If you secretly add malicious code to a legitimate software update, then organizations might welcome all the code into their networks.
A similar type of attack just played out against an Enterprise Password Management tool called Passwordstate. And it is possible that the credentials for tens of thousands of organizations may have been stolen in the process.
Supply chain cyberattack against password manager Passwordstate
Click Studios is an Australian software company that operates the Passwordstate product, which is an on-premise, web-based solution for password management, where teams of people can access and share sensitive password resources.
The company recently advised customers who performed an In-Place Upgrade between April 20-22 that they may have downloaded a malicious Passwordstate_upgrade.zip file.
CSIS Security Group, who is handling the breach, explains the serious nature of the attack:
"If you are using Passwordstate, please reset all the stored passwords, and especially VPNs, Firewall, Switches, local accounts or any server passwords etc..."
And in the Passwordstate customer advisory statement, it shared a brief summary of the situation:
"Initial analysis indicates that a bad actor using sophisticated techniques compromised the In-Place Upgrade functionality. The initial compromise was made to the upgrade director located on Click Studios website www.clickstudios.com.au.
The upgrade director points the In-Place Upgrade to the appropriate version of software located on the Content Distribution Network. The compromise existed for approximately 28 hours before it was closed down.
Only customers that performed In-Place Upgrades between the times stated above are believed to be affected. Manual Upgrades of Passwordstate are not compromised. Affected customers' password records may have been harvested."
In further analysis, the company adds that the initial compromise was not attributed to stolen or weak credentials. Weak and guessable credentials were something Solar Winds was called out for, following its far-reaching supply chain cyberattack.
Passwordstate data breach remediation: 8 steps to take
Remediating against this attack is likely to cause some pain and certainly will take some security team resources.
In the company's statement, Click Studios and Passwordstate advise customers to take the following eight steps to remediate the risk:
- Download the advised hotfix file
- Use PowerShell to confirm the checksum of the hotfix file matches the details supplied
- Stop the Passwordstate Service and Internet Information Server
- Extract the hotfix to the specified folder
- Restart the Passwordstate Service, and Internet Information Server
Once this is done it is important that customers commence resetting all Passwords contained within Passwordstate. These may have been posted to the bad actors CDN network. Click Studios recommends prioritizing resets based on the following;
- All credentials for externally facing systems, i.e., Firewalls, VPN, external websites etc.
- All credentials for internal infrastructure, i.e., Switches, Storage Systems, Local Accounts
- All remaining credentials stored in Passwordstate