Computer hardware vendor Asus publicly confirmed on March 26 that it was the victim of a breach in which attackers were able to gain access to the company’s update servers.
With access to Asus’ servers, the attackers took aim at the Asus Live Update tool, which is used to deliver driver and firmware updates. The attackers injected Trojan code into the Asus Live Update tool and were able to deploy malware to what the company characterized as a small number of users. The updates appeared to be authentic to end users, as they were signed with legitimate Asus digital certificates.
“A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group,” Asus wrote in a media advisory. “ASUS customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed.”
The breach of the Asus Live Update service and the corresponding attack against users were uncovered by security firm Kaspersky Lab and publicly disclosed on March 25. Kaspersky Lab, which discovered the issue in January, has named the attack “Operation ShadowHammer.” It estimates that the attacks took place between June and November of 2018.
“Based on our statistics, over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time,” Kaspersky Lab wrote in its analysis. “We are not able to calculate the total count of affected users based only on our data; however, we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide.”
An analysis by Symantec found that at least 13,000 computers received the malicious Trojanized updates from the Asus. According to Symantec, victims were found evenly around the world, with 20 percent of infections coming from organizations and 80 percent coming from consumers.
Although the potential impact of the Asus update tool is large, Kaspersky Lab’s research found that it was in fact a highly targeted attack. Looking at the exploit code, the security firm found that there was a pool of 600 MAC addresses that were specifically targeted by the Operation ShadowHammer. A Media Access Control, or MAC, address is a unique identifier for a given piece of hardware.
The Asus exploit fits into an emerging category of supply chain attacks, whereby attacks insert themselves into the chain to attack end users and organizations. An attack against ccCleaner’s update infrastructure in 2017, for example, infected millions of users with malicious downloads.
Asus’ Response
In response to the Kaspersky Lab analysis, Asus said it released a new version of its Live Update software, with the 3.6.8 update. As part of the 3.6.8 update, Asus stated that it also “introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism.”
“At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future,” the company stated.
Asus has also released a diagnostic tool to assist users in identifying whether they have been impacted and released new guidance to help users make sure they are running the latest version of Asus Live Update.
While Asus has responded to the attack, there are still more details and perhaps victims that have yet to be publicly disclosed. Kaspersky Lab stated that the full investigation is still in progress and it plans to release additional details on April 8, during its SAS 2019 Conference in Singapore.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
