‘Number of affected customers still appears to be very low’, says latest vendor update

Passwordstate credentials potentially 'harvested' after malicious software update injected into password manager

UPDATED Passwords stored in enterprise password manager Passwordstate may have been “harvested” by attackers who planted a malicious software update file, the application’s developer, Click Studios, has revealed.

As per a Click Studios security advisory (PDF) issued on April 24, the “sophisticated” supply chain attack potentially affects customers who performed an in-place upgrade during the 28-hour period before the vendor disabled the feature.

Manual upgrades were unaffected, said Click Studios.

The vendor has issued a hotfix and advised affected users to reset all passwords stored in the password manager.

High-value target

The incident was first documented in a blog post from Danish infosec firm CSIS Group on April 23, which dubbed the malware ‘Moserpass’.

Enterprise password managers are used to securely store corporate passwords, credentials, secrets, tokens, and keys that grant access to confidential systems and data.

READ MORE CocoaPods RCE exploit exposed keys to repo used by three million mobile apps

Click Studios says Passwordstate is used by more than 29,000 customers, including Fortune 500 companies and organizations in verticals including banking, utilities, and healthcare.

However, in a second security advisory (PDF) posted yesterday (April 25), the Australian firm maintained that “the number of affected customers still appears to be very low”.

This assessment, however, “may change as more customers supply the requested information”, the company said.

Moserpass attack vectors

Click Studios said the attacker compromised the upgrade director on Click Studios’ website that “points the in-place upgrade to the appropriate version of software located on the content distribution network”.

The Adelaide-based company did not confirm the attack methods involved but indicated that they did not include either abuse of “stolen or weak credentials”.

The second advisory also stated that Click Studios’ “CDN network was not compromised” and that another bulletin independently produced for internal use supported its own “initial analysis”.


Upgrades conducted between April 20, 20:33 UTC and April 22, 00:30 UTC put customers at risk of downloading “a malformed Passwordstate_upgrade.zip file”.

The software vendor said it began helping “the small number of customers who were reporting issues with in-place upgrades” on April 21, and alerted customers by email the following day.

Downloading the malicious file set in train a process that culminated in the extraction of passwords and other system information to the attackers’ CDN network.

Catch up on the latest infosec research news

This included the names of computers, users, domains, current processes, and all running services; current process IDs; all running processes’ names and IDs; display names and statuses; and Passwordstate instances’ proxy server addresses, usernames, and passwords.

Password table fields relayed to the attacker included Title, UserName, Description, GenericField1, GenericField2, GenericField3, Notes, URL, and Password.

“There is no evidence of encryption keys or database connection strings being posted to the bad actor CDN network”, said Click Studios. This means ‘GenericFields’ data is safe where users chose to encrypt these fields.

Mitigation advice

Customers “are likely to have been affected” if the moserware.secretsplitter.dll file within their c:\inetpub\passwordstate\bin\ directory is 65 KB in size, an indication of compromise.

The software developer has, in its latest advisory, provided checksums that can be used to check whether the file is malicious.

“Click Studios number one priority is working with our customers, identifying if they have been affected and advising them of the required remedial actions,” Click studios told The Daily Swig. “To that end Technical Support Team members, Developers and Pre-Sales staff are focused only on assisting customers technically.”

The company also advised customers and partners to refer to the incident management advisory page for the latest updates related to the incident.


This article was updated on April 27 with a statement from Click Studios.

RECOMMENDED Researchers trick Duo 2FA into sending authentication request to attacker-controlled device