For more than 24 hours this week, hackers had unfettered access to the update mechanism for a popular password manager that claims hundreds of thousands of IT professionals as clients, incident responders revealed on Friday.
The malicious code found in the Passwordstate software offered the unidentified attackers a potential foothold onto any customer network that downloaded the update during that time.
Click Studios, the Australian firm that owns the Passwordstate password manager, claims that 370,000 IT security professional around the world use the software. In addition, 29,000 organizations across sectors such as banking, manufacturing, defense and aerospace are customers, according to the Click Studios website.
“We assume this attack could have impacted a large number of these customers,” said CSIS Security Group, the Danish firm that responded to the intrusion.
In a year of high-profile supply chain compromises, it’s unclear how severely the incident will rank. But it points to the ceaseless interest of hacking groups in breaching high-value targets through the software those organizations use.
Much about the incident is still a mystery, for now. CSIS Group did not identify the culprit, and they said the attackers’ command-and-control server was offline on Friday, preventing access to an additional hacking tool used by the group.
Customers can’t simply update their software and be done with the issue. Click Studios reportedly sent its customers detailed instructions on how to extract the malicious code from their networks.
“We are only effectively seeing the first stage of a more intricate campaign,” said Juan Andres Guerrero-Saade, principal threat researcher at security firm SentinelOne. “Until we see this next stage payload, we can only assume the intent of the attackers.”
Guerrero-Saade said the incident was “part of a disturbing, larger trend of software supply-chain attacks that has been opportunistically increasing in popularity for the past five to six years.”