On April 24, 2021, Click Studios announced that a recent in-place upgrade of their Passwordstate password manager product had been comprised between April 20th and 22nd with invasive malware. The malware collected sensitive data, including passwords held in the Passwordstate system. Customers were informed to deploy a hotfix package and reset all passwords held in the system.
Since Passwordstate is widely used by 370,000 security and IT professionals in 29,000 organizations, Prevalent has curated an 8-question assessment that can be leveraged to rapidly identify any potential impacts to your business by determining which of your third parties was affected by the malware and whether or not they have an incident response plan in place to address any risks.
The answers to these questions will help you determine what remediations or next steps will be required to mitigate the potential impact.
Questions | Potential Responses |
---|---|
1) Has the organization been impacted by the recent Click Studios Passwordstate malware attack? (Please select one.) |
a) Yes, we have been impacted by the recent Click Studios Passwordstate malware attack. b) No, we have not been impacted by the recent Click Studios Passwordstate malware attack. c) The organization is unsure if it has been impacted by the recent Click Studios Passwordstate malware attack. |
2) Has the organization contacted Click Studios with a directory listing of c:\inetpub\passwordstate\bin output to a file called PasswordstateBin.txt and has this file been sent to Click Studios Technical Support? (Please select one.) Help Text: Where an organization has been impacted by the Passwordstate malware attack, it is strongly recommended that it contacts the solution provider to receive advisory support and recommended actions to resolve the incident. |
a) Yes, the organization has contacted Click Studios, and provided the directory listing of the Passwordstate output, and a copy of the PasswordstateBin.txt file to the Click Studios Technical Support team. b) No, the organization has not contacted Click Studios, and provided the directory listing of the Passwordstate output, and a copy of the PasswordstateBin.txt file to the Click Studios Technical Support team. |
3) Has the organization obtained a copy of the Incident Management Advisories created by Click Studios, and made available on their website? (Please select one.) Help Text: Click Studios has provided advisory papers, which describe key steps an organization should take following confirmation of having been affected by the Passwordstate malware attack. |
a) Yes, the organization has obtained a copy of the Incident Management Advisories and has followed the recommended actions provided. b) No, the organization has not obtained a copy of the Incident Management Advisories, or followed the recommended actions provided. |
4) Based on the advisories provided by Click Studios, and contact with the Technical Support team, has the organization implemented the following recommended actions? (Please select all that apply.) |
a) The organization has downloaded the advised hotfix file. b) The organization has used PowerShell to confirm the checksum of the hotfix file matches the details supplied. c) The Passwordstate Service and Internet Information Server was stopped. d) The hotfix was extracted to the specified folder. e) The organization restarted the Passwordstate Service, and Internet Information Server. |
5) Has the organization conducted password resets to the following critical systems? (Please select all that apply.) |
a) All credentials for externally facing systems (Firewalls, VPN & external websites). b) All credentials for internal infrastructure, (Switches, Storage Systems & Local Accounts). c) All remaining credentials stored in Passwordstate. |
6) Does the organization have an incident investigation and response plan in place? (Please select all that apply.) Help Text: Procedures for monitoring, detecting, analyzing and reporting of information security events and incidents should be in place, and enable an organization to develop a clear response strategy to handling identified incidents and events. |
a) The organization has a documented incident management policy. b) The incident management policy includes rules for reporting information security events and weaknesses. c) An incident response plan is developed as part of incident investigation and recovery. d) Incident response planning includes escalation procedures to internal parties, and communication procedures to clients. |
7) Who is designated as the point of contact who can answer additional queries? |
Name: Title: Email: Phone: |
8) What is the level of impact to client systems and data following this attack? (Please select one.) Help Text: Consideration should be given to level of impact on the availability and confidentiality to client information or systems. Significant impact: The Passwordstate attack has caused client systems to stop working or become unavailable. There has been a loss of confidentiality or integrity of data. High impact: Service availability to client systems has been periodically lost, and there is the potential for some systems to periodically stop. Some loss of confidentiality or integrity of data. Low impact: No loss of confidentiality or integrity of data, and minimal or no disruption to service availability. |
a) There has been no impact to client systems or data following this attack. b) There has been a low impact to client systems or data following this attack. c) There is a high level of impact to client systems or data following this attack. d) There has been significant impact to client systems or data following this attack. |
Free Guide: 8 Steps to a Third-Party Incident Response Plan
When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.
Prevalent recently introduced the Third-Party Incident Response Service, a solution that helps to rapidly identify and mitigate the impact of supply chain breaches like the Passwordstate malware attack by providing a platform to centrally manage vendors, conduct targeted event-specific assessments, score identified risks, and access remediation guidance. Prevalent offers this solution as a managed service to enable your team to offload the collection of critical response data so they can focus on remediating risks instead.
Complementing the Incident Response Service is Prevalent’s continuous cyber and business breach monitoring that provides regular updates on breach disclosures, adverse news events, and cyber incidents such as malicious dark web activity about your vendors.
Together, these solutions help to automate breach impact discovery and accelerate response.
Use this questionnaire to determine the impact the Passwordstate malware attack could have on our supplier ecosystem. And, learn more by downloading a best practices white paper or contact us for a demo!
Effectively manage third-party cybersecurity incidents with a well-defined incident response plan.
09/24/2024
Why third-party breaches are on the rise, who is being affected, and what you can do...
09/20/2024
Use these 6 tips to improve your third-party breach response procedures.
09/17/2024