Attackers hijack ASUS’s auto-update process to deliver malware to ‘millions’ of PC users
Over a million users might have downloaded and installed a backdoored version of an ASUS application that was served from the company’s official update servers. The incident is the latest in a string of software supply chain attacks that have come to light over the past couple of years and highlights the need for companies to better vet the applications and updates they deploy on their systems.
According to a report released Monday by security firm Kaspersky Lab, hackers created a trojanized version of a legitimate application called the ASUS Live Update Utility, signed it with valid certificates belonging to ASUS, and distributed it to users through the application’s own update mechanism. This indicates that, at the very least, hackers had access to ASUS’s code signing and update infrastructure.
Based in Taiwan, ASUSTeK Computer, commonly known as ASUS, is one of the world’s largest manufacturers of computers and computer components. The ASUS Live Update Utility comes preinstalled on many Windows computers made by the company and is used to deliver updates for BIOS/UEFI firmware, hardware drivers and other ASUS tools. The utility can also be installed manually by users after a clean Windows installation.
The backdoored version of ASUS Live Update was discovered by researchers from antivirus firm Kaspersky Lab in January after adding new technology to its products for detecting unusual code added to larger applications and other anomalies that could indicate supply-chain attacks. After collecting additional samples and data, the researchers determined the attack began in June and ended in November last year.
“Based on our statistics, over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time,” the researchers said in their report. “We are not able to calculate the total count of affected users based only on our data.
Dubbed ShadowHammer, the attack vector was active between June and November 2018, according to Kaspersky Lab’s telemetry, and left a large amount of Asus customers vulnerable to backdoor attacks once ShadowHammer had established communication with a command and control server.
“Based on our statistics, over 57,000 Kaspersky users have downloaded and installed the backdoored version of Asus Live Update at some point in time,” Kaspersky’s breakdown of ShadowHammer explained.
“We are not able to calculate the total count of affected users based only on our data; however, we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide.
“The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation.”
