The company said in an advisory released early on Sunday AEST that any user who had upgraded between 8:33 PM UTC on 20 April and 0:30am UTC on 22 April (6.33am AEST on 21 April and 10.30am AEST on 22 April) could be at risk.
The Adelaide-based firm, which was founded in 2000 as Visual Data Engineering, says Passwordstate is used by more than 29,000 customers and 370,000 security and IT professionals globally, many being from Fortune 500 listed companies.
These are claimed to span multiple industry verticals including defence, banking and finance, media and entertainment, space and aviation, education, utilities, retail, mining, automotive, service providers and IT security integrators.
In what shouldn't surprise anyone, the rogue Passwordstate update harvests all the passwords and sends them to a remote server https://t.co/1Z3ByDmsUc— Martijn Grooten (@martijn_grooten) April 24, 2021
"Analysis of compromised data indicates the following information is posted back: Computer Name, User Name, Domain Name, Current Process Name, Current Process Id, All running Processes name and ID, All running services name, display name and status, Passwordstate instance’s Proxy Server Address, Username and Password," the advisory said.
"The following fields in Passwordstate instance’s password table is posted back: Title, UserName, Description, GenericField1, GenericField2, GenericField3, Notes, URL, Password The Domain Name and Host name aren’t extracted as part of this.
"Although the encryption key and database connection string are used to process data via hooking into the Passwordstate Service process, there is no evidence of encryption keys or database connection strings being posted to the bad actor CDN network."
Basically, if the Passwordstate process is running, it spawns a thread to get the vault proxy settings, pulls the next stage payload, and uses the hardcoded hash ("f4f15dddc3ba10dd443493a2a8a526b0") to AES decrypts the payload, and launch it in a new thread.— J. A. Guerrero-Saade (@juanandres_gs) April 23, 2021
Researcher Taha Karim of Confiant Intel has provided a detailed analysis of the compromise, based on information available on Saturday.