Malware Installed in Asus Computers through Hacked Update Process
Kaspersky Labs is reporting on a new supply chain attack they call “Shadowhammer.”
In January 2019, we discovered a sophisticated supply chain attack involving the ASUS Live Update Utility. The attack took place between June and November 2018 and according to our telemetry, it affected a large number of users.
[…]
The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.
We believe this to be a very sophisticated supply chain attack, which matches or even surpasses the Shadowpad and the CCleaner incidents in complexity and techniques. The reason that it stayed undetected for so long is partly due to the fact that the trojanized updaters were signed with legitimate certificates (eg: “ASUSTeK Computer Inc.”). The malicious updaters were hosted on the official liveupdate01s.asus[.]com and liveupdate01.asus[.]com ASUS update servers.
The sophistication of the attack leads to the speculation that a nation-state—and one of the cyber powers—is responsible.
As I have previously written, supply chain security is “an incredibly complex problem.” These attacks co-opt the very mechanisms we need to trust for our security. And the international nature of our industry results in an array of vulnerabilities that are very hard to secure.
Kim Zetter has a really good article on this. Check if your computer is infected here, or use this diagnostic tool from Asus.
Another news article.
JonKnowsNothing • March 28, 2019 9:24 AM
There are at least 2 groups interested in grabbing access to products going into mass market
Attacking supply systems is a long standing military objective. It’s a very refined attack system and JIT made it super easy to do.
Trying to explain to people that just because it says XXX or the LED is green or it is in shrink wrap does not mean it really is XXX or the system is not failing or it’s not been rewrapped, this doesn’t seem to connect the dots for them.
While this concerns technology attacks, the same goes for consumer goods and foods. Faked Virgin Olive Oil, prohibited products in foods, mislabeled items, rewrapped meats. It’s old hat and well known.
For every bar we place to prevent redirection, it is only as good as the implementation. The system that permits an Updater to update malware or badware or crapware is useful for Group 1. They do it regularly. They are not going to allow the necessary changes. Or at least not until a whole lot of folks refuse Dragonfly work projects and the companies that profit from them.