Highlights:
Update: Asus has responded to the breach and has issued an official statement on the matter. In a statement to Digit.in, Asus said, "Advanced Persistent Threat (APT) attacks are national-level attacks usually initiated by a couple of specific countries, targeting certain international organizations or entities instead of consumers. ASUS Live Update is a proprietary tool supplied with ASUS notebook computers to ensure that the system always benefits from the latest drivers and firmware from ASUS. A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group. ASUS customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed. ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future. Additionally, we have created an online security diagnostic tool to check for affected systems, and we encourage users who are still concerned to run it as a precaution. The tool can be found here."
Asus’ software update tool was breached by hackers to distribute malware to users. Motherboard reports, via a report by Kaspersky Lab, that attackers breached ASUS Live Update Utility software, which is used to deliver an array of software updates to the company’s laptops and desktops. This is said to be one of the biggest supply-chain based hacks where attackers breached and added a backdoor to official company software and pushed it to users through official Asus channels. Additionally, the trojan utility was signed using an authenticated digital certificate, which makes it even harder to detect compromised/modified software.
The attack has been named “ShadowHammer” by Kaspersky and about 57,000 of its security software users were detected having the malware installed. Symantec told Motherboard that it identified 13,000 of its users with the malware. As per ṭhe Kaspersky report, the attacker(s) hosted the modified software on the official ASUS server that is dedicated to updates. Even the file size of the malicious software was the same as the original file, so as to suppress suspicion and stay undetected. If you are using an Asus laptop or computer, we suggest you update the Asus Live Update Utility on your PC. Additionally, head out here to check if your MAC address was targeted in the attack.
The trojan was reportedly distributed to about 1 million Asus users but it seems that the hackers were after something specific as they targeted only 600 specific MAC addresses, for which the hashes were hardcoded into different versions of the utility. It is not known what the attackers’ agenda was and more about details this attack will be divulged at the upcoming SAS 2019 security conference in Singapore. However, this type of supply chain attack is being compared with the Shadowpad and the CCleaner incidents, in terms of techniques and complexity.
Related Reads:
NotPetya is a wiper, not ransomware: Here's what that means
4% of Indian users attacked by banking Trojans in 2018: Kaspersky Lab