Cyberattack on Passwordstate tests confidence in password managers

Dive Brief:

Security researchers around the globe are investigating a malicious backdoor cyberattack launched against Passwordstate, a Australia-based password manager for enterprise users. It has tens of thousands of customers globally, including members of the Fortune 500.
An unknown threat actor compromised an in-place security upgrade for the product, which exposed users for about 28 hours last week. The actor used and downloaded a malformed zip file, according to Passwordstate's parent Click Studios. A rogue dll file was then downloaded, allowing the attackers to exfiltrate computer system data, passwords and other information.
Thus far, Click Studios claims only a small number of customers have been affected, however all customers need to reset credentials for all external facing systems, like VPNs, firewalls and external websites, as well as internal systems, including switches and storage.

Dive Insight:

Security researchers at CSIS Group went public soon after several corporate users reached out with concerns about the malicious attack. The Denmark-based cybersecurity firm said that it still doesn't know who is behind the incident, and while they are sophisticated, they're likely non-state actors.

"What was sophisticated in this example was it was the supplier that was compromised, and they were using a C&C server in their CDN [content delivery network]," said Jan Kaastrup, CTO at CSIS Group.

The attack on Passwordstate has some cybersecurity researchers concerned about how this could impact the trust in enterprise password managers, which have seen heightened demand amid months of supply chain and ransomware attacks launched against major companies and government agencies.

"This will be quite serious for some organizations and minimal for others," David Chase, senior research director at Gartner. "Password managers are best suited for applications that cannot be integrated with other more robust security controls like SSO [single sign-on] via federated controls like SAML [Security Assertion Markup Language] and OIDC [OpenID Connect] and should not be used for privileged accounts like database administrators."

He said it is still too early to tell how serious this attack has been for U.S. enterprises.

"The ramifications of this attack are going to reverberate widely for all users of Passwordstate," Juan Andres Guerrero-Saade, principal threat researcher at SentinelOne, said via email. "Password managers are a common recommendation that furthers adoption of best security practices like avoiding password reuse. A software supply chain attack like this diminishes trust in the efficacy of these solutions."

Darren Guccione, co-founder and CEO of Keeper Security, said the Passwordstate attack also raises questions about the security of enterprise systems that are operated on premises versus cloud-based systems, because the data is much more difficult to secure and isolate the data in a safe location.

The Australian Cyber Security Centre said it is monitoring the situation and providing advice to Click Studios and other Australian organizations and is regularly engaged with international cybersecurity partners.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) was not actively involved in or supporting the incident, a spokesperson said Monday.