Hundreds of thousands of Asus PCs may have been infected with malware installed by Asus’s own automatic Live Update tool.
Why on earth would Asus want to do such a thing?
They didn’t. According to researchers at Kaspersky, who have dubbed the attack “Operation ShadowHammer”, malicious hackers managed to plant the malware on Asus’s update servers and actually signed it with two of the company’s legitimate digital certificates.
How did hackers manage to poison Asus’s software update?
We don’t know.
How did the hackers manage to get hold of Asus’s code-signing certificates?
We don’t know.
You don’t seem to know very much. What did this malicious Asus update do?
The malicious update scans to determine the device’s network adaptor’s unique MAC address, and if matches one on a list of hashes hardcoded within the malware, downloads more malicious code down from a command and control server under the hackers’ control.
MAC? I thought we were talking about PCs?
Yes, we are talking about Asus notebook PCs running Windows. A MAC (Media Access Control) address is not something from Apple, it’s a unique identifier assigned to network interface hardware by manufacturers.
So they weren’t targeting all of the PCs that have installed the update? Only the ones which matched particular MAC addresses?
Correct. Although Kaspersky researchers say they have identified 57,000 of their users who have downloaded and installed the trojanised version of Asus Live Update (and they believe there may be over one million non-Kaspersky users similarly affected), they have only uncovered approximately 600 unique MAC addresses from the 200+ samples of the malware they have seen to date.
In other words, roughly 600 PCs were being targeted by the attackers. Kaspersky researchers have warned that there may be other examples of the malware out there including more MAC addresses.
Why would the attacker only want to install malicious code on a small subset of the compromised computers?
It’s hard to answer that question definitively, but one reason might be that they didn’t wish to draw attention to themselves and keep the operation “live” for as long as possible.
How long were Asus computers downloading the rogue update?
Kaspersky says that it was affecting a large number of users between June and November 2018. According to a report by Motherboard, Kaspersky’s team contacted Asus in January about the issue, but the manufacturer denied that its servers were compromised.
Symantec researchers also confirmed the incident, telling Kim Zetter of Motherboard that at least 13,000 computers belonging to Symantec customers were infected with the malicious software update from ASUS in 2018.
And what has Asus said?
Nothing so far.
Update: Asus has said it will issue an official statement sometime today (Tuesday 26 March 2019). Of course, they would have ideally begun investigating when first informed by Kaspersky in January rather than not take the researchers’ information seriously.
So if Asus isn’t doing anything, what am I supposed to do as a potentially affected customer?
Kaspersky has created a natty website - shadowhammer.kaspersky.com - where you can check to see if your MAC address is one the list of those targeted by the poisoned ASUS Live Update tool, and is inviting users to contact them if they have been targeted.
What could users have done to prevent themselves from being infected in the first place?
It’s a hard question to answer. We tell users to install security updates from their trusted suppliers to reduce the chances of a security incident. This update really did come from Asus’s servers, and had even been correctly digitally-signed using Asus’s software certificates.
And the way the malicious update then carefully selected its intended targets… it’s hard not to wonder if this might have been the work of state-sponsored hackers.
This isn’t the first time that vendors have been compromised to spread malware through a supply-chain attack.
For instance, in 2016 the update mechanism for the Ask toolbar was hijacked by attackers to install suspicious code.
The following year the anti-virus firm Avast distributed a digitally-signed version of CCleaner which contained a malicious backdoor that stole information from users’ PCs.
And perhaps most infamously of all, the NotPetya ransomware was initially spread via a malicious automatic update to a popular Ukrainian accounting software package.
So, supply-chain attacks are a big headache. By the way… why ShadowHammer?
I know, I know. It sounds like a villain from a superhero movie doesn’t it? Basically, this is what security vendors do these days to grab more attention for their discoveries. Just be grateful there’s not a logo for it… yet.
For more discussion of this topic, be sure to check out this episode of the “Smashing Security” podcast: