It has been over three months since Click Studios, the Australian software house behind the enterprise password manager Passwordstate, warned its customers to “commence resetting all passwords.” The company was hit by a supply chain attack that sought to steal the passwords from customer servers around the world.
But customers tell TechCrunch that they are still without answers about the attack. Several customers say they were met with silence from Click Studios, while others were asked to sign strict secrecy agreements when they asked for assurances about the security of the software.
One IT executive whose company was compromised by the attack said they felt “abandoned” by the software maker in the wake of the attack.
Passwordstate is a standalone web server that enterprise companies can use to store and share passwords and secrets for their organizations, like keys for cloud systems and databases that store sensitive customer data, or “break glass” accounts that grant emergency access to the network. Click Studios says it has 29,000 customers using Passwordstate, including banks, universities, consultants, tech companies, defense contractors and U.S. and Australian government agencies, according to public records seen by TechCrunch. The sensitive data held by these customers might be why Passwordstate was the target of this supply-chain attack.
Click Studios sent an email to customers on April 22 warning of a possible Passwordstate compromise, but it wasn’t until Danish security research firm CSIS published a blog post the next day that revealed the existence and the extent of the breach.
CSIS said that cybercriminals had compromised the Passwordstate software update feature to deliver a malicious update to any customer who had updated their server during a 28-hour window between April 20-22. The malicious update was designed to steal the secrets from customers’ Passwordstate servers and transmit them back to the cybercriminals.
Some believed that the hack was “another SolarWinds,” referring to an incident months earlier at tech company SolarWinds after the network management software it sells to customers to monitor their networks and fleets of devices was compromised. Russian spies had infiltrated SolarWinds’ network and planted a backdoor in Orion’s software update feature, which was automatically pushed to customer systems. That gave the spies unfettered access to sneak around and gather information from potentially thousands of networks, including nine agencies of the U.S. federal government.
But Passwordstate was fortunate in ways that SolarWinds was not. Since new Passwordstate software updates need to be manually installed, many companies evaded compromise simply by luck. Determining whether a server had been compromised was also relatively easy by checking to see if the size of a particular file on the server was larger than it should be; the fix was fairly simple, as well.
Eastlink Cloud Pvt. Ltd.
Tripureshwor, Kathmandu, Nepal