Update April 27, 2021
ClickStudios has advised that the compromise of its PASSWORDSTATE enterprise password manager impacts the software’s In-Place Upgrade functionality. Manual Upgrades of Passwordstate are not compromised. It is believed that the poisoned update has resulted in customer’s password records being harvested. These records include a variety of system information, including computer name, usernames, current process name and ID, domain name, running processes and services, display name and status, proxy server address for Passwordstate, and the password manager’s username and password. ClickStudios believes the number of impacted users are low and those customers should have already been notified. If your utility uses PASSWORDSTATE and you have been impacted due to the use of the In-Place Upgrade, you are urged to reset ALL passwords stored in PASSWORDSTATE. Read more at SecurityWeek.
Original notification: April 23, 2021
There is breaking news of a breach involving the ClickStudios password manager PASSWORDSTATE. If your organization uses this product, WaterISAC urges following ClickStudio's response and mitigation recommendations (provided in a notification to customers), which include resetting all stored passwords, especially for VPNs, firewalls, switches, local accounts, and any servers.
The advisory includes a brief list of IOCs, although researchers expect these don't represent all of the activity taking place.
On its webpage, ClickStudios says its clients include "more than 29,000 customers and 370,000 Security and IT Professionals around the world...including many Fortune 500 companies to the smallest of IT shops." According to ClickStudios, its clients are in numerous sectors and industries, including "government" and "utilities."
WaterISAC will continue to share information with its members and partners as more is learned about this developing incident. Members are encouraged to share information with WaterISAC by emailing firstname.lastname@example.org, calling 866-H20-ISAC, or using the online incident reporting form.