On April 24, 2021, Click Studios announced that a recent in-place upgrade of their Passwordstate password manager product had been comprised between April 20th and 22nd
with invasive malware. The malware collected sensitive data, including passwords held in the Passwordstate system. Customers were informed to deploy a hotfix package and reset all passwords held in the system.
Assess Your Third-Party Exposure to the Passwordstate Breach
Since Passwordstate is widely used by 370,000 security and IT professionals in 29,000 organizations, Prevalent has curated an 8-question assessment that can be leveraged to rapidly identify any potential impacts to your business by determining which of your third parties was affected by the malware and whether or not they have an incident response plan in place to address any risks.
8 Critical Questions to Ask Your Vendors
The answers to these questions will help you determine what remediations or next steps will be required to mitigate the potential impact.
| Fragen | Mögliche Antworten |
|---|---|
| 1) Has the organization been impacted by the recent Click Studios Passwordstate malware attack?
(Bitte wählen Sie eine aus.) |
a) Yes, we have been impacted by the recent Click Studios Passwordstate malware attack.
b) No, we have not been impacted by the recent Click Studios Passwordstate malware attack. c) The organization is unsure if it has been impacted by the recent Click Studios Passwordstate malware attack. |
| 2) Has the organization contacted Click Studios with a directory listing of c:inetpubpasswordstatebin output to a file called PasswordstateBin.txt and has this file been sent to Click Studios Technical Support?
(Bitte wählen Sie eine aus.) Help Text: Where an organization has been impacted by the Passwordstate malware attack, it is strongly recommended that it contacts the solution provider to receive advisory support and recommended actions to resolve the incident. |
a) Yes, the organization has contacted Click Studios, and provided the directory listing of the Passwordstate output, and a copy of the PasswordstateBin.txt file to the Click Studios Technical Support team.
b) No, the organization has not contacted Click Studios, and provided the directory listing of the Passwordstate output, and a copy of the PasswordstateBin.txt file to the Click Studios Technical Support team. Prevalent kann helfen, die Reaktion auf Vorfälle von Dritten zu beschleunigen |
| 3) Has the organization obtained a copy of the Incident Management Advisories created by Click Studios, and made available on their website?
(Bitte wählen Sie eine aus.) Help Text: Click Studios has provided advisory papers, which describe key steps an organization should take following confirmation of having been affected by the Passwordstate malware attack. |
a) Yes, the organization has obtained a copy of the Incident Management Advisories and has followed the recommended actions provided.
b) No, the organization has not obtained a copy of the Incident Management Advisories, or followed the recommended actions provided. |
| 4) Based on the advisories provided by Click Studios, and contact with the Technical Support team, has the organization implemented the following recommended actions?
(Bitte wählen Sie alle zutreffenden Angaben aus.) |
a) The organization has downloaded the advised hotfix file.
b) The organization has used PowerShell to confirm the checksum of the hotfix file matches the details supplied. c) The Passwordstate Service and Internet Information Server was stopped. d) The hotfix was extracted to the specified folder. e) The organization restarted the Passwordstate Service, and Internet Information Server. |
| 5) Has the organization conducted password resets to the following critical systems?
(Bitte wählen Sie alle zutreffenden Angaben aus.) |
a) All credentials for externally facing systems (Firewalls, VPN & external websites).
b) All credentials for internal infrastructure, (Switches, Storage Systems & Local Accounts). c) All remaining credentials stored in Passwordstate. |
| 6) Does the organization have an incident investigation and response plan in place?
(Bitte wählen Sie alle zutreffenden Angaben aus.) Help Text: Procedures for monitoring, detecting, analyzing and reporting of information security events and incidents should be in place, and enable an organization to develop a clear response strategy to handling identified incidents and events. |
a) Die Organisation verfügt über eine dokumentierte Richtlinie für das Management von Zwischenfällen.
b) Die Richtlinie für das Management von Zwischenfällen enthält Regeln für die Meldung von Ereignissen und Schwachstellen in der Informationssicherheit. c) Im Rahmen der Untersuchung und Wiederherstellung von Vorfällen wird ein Reaktionsplan entwickelt. d) Die Reaktionsplanung auf Vorfälle umfasst Eskalationsverfahren für interne Stellen und Kommunikationsverfahren für Kunden. |
| 7) Who is designated as the point of contact who can answer additional queries? | Name:
Titel: E-Mail: Telefon: |
| 8) What is the level of impact to client systems and data following this attack?
(Bitte wählen Sie eine aus.) Help Text: Consideration should be given to level of impact on the availability and confidentiality to client information or systems. Significant impact: The Passwordstate attack has caused client systems to stop working or become unavailable. There has been a loss of confidentiality or integrity of data. High impact: Service availability to client systems has been periodically lost, and there is the potential for some systems to periodically stop. Some loss of confidentiality or integrity of data. Low impact: No loss of confidentiality or integrity of data, and minimal or no disruption to service availability. |
a) There has been no impact to client systems or data following this attack.
b) There has been a low impact to client systems or data following this attack. c) There is a high level of impact to client systems or data following this attack. d) There has been significant impact to client systems or data following this attack. Prevalent recently introduced the Third-Party Incident Response Service, a solution that helps to rapidly identify and mitigate the impact of supply chain breaches like the Passwordstate malware attack by providing a platform to centrally manage vendors, conduct targeted event-specific assessments, score identified risks, and access remediation guidance. Prevalent offers this solution as a managed service to enable your team to offload the collection of critical response data so they can focus on remediating risks instead. |
Complementing the Incident Response Service is Prevalent’s continuous cyber and business breach monitoring that provides regular updates on breach disclosures, adverse news events, and cyber incidents such as malicious dark web activity about your vendors.
Together, these solutions help to automate breach impact discovery and accelerate response.
Machen Sie den nächsten Schritt
Use this questionnaire to determine the impact the Passwordstate malware attack could have on our supplier ecosystem. And, learn more by downloading a best practices white paper or contact us for a demo!
Anmerkung der Redaktion: Dieser Beitrag wurde ursprünglich auf Prevalent.net veröffentlicht. Im Oktober 2024 übernahm Mitratech das KI-gestützte Risikomanagement für Dritte, Prevalent. Der Inhalt wurde seitdem aktualisiert und enthält nun Informationen, die auf unser Produktangebot, regulatorische Änderungen und Compliance abgestimmt sind.
