Sometime between June and November 2018, ASUS computers were subjected to an attack in which users downloaded and installed a fake update that contained malware. The attackers did this by pairing old ASUS update code from 2015 with a new security certificate, and then having the Live Update software download and install it.
Once downloaded, the malware contained in the fake update installs a back door into the system, and then contacts a command-and-control server to download a second stage of the malware. The second stage was reserved for about 600 machines with specific MAC (media access control) addresses. Machines without those specific addresses got the back door, but no second stage.
The malware was discovered by Kaspersky Labs, which named it ShadowHammer because of its relationship to an earlier attack named Shadowpad. At this point, the purpose of the second-stage malware is unknown, and the nature of the 600 machines on the hard-coded list in the software is also unknown. However, Kaspersky does suspect that the attack was carried out by nation-state actors.
ASUS Sent a Notice to Its Users
ASUS published a notice on the attack which describes how to tell if a specific machine has been attacked and whether it still contains the malware. The company has also provided an update to the Live Update software with better security, and has sent out updates to remove and replace the malware laden update. If you have an ASUS computer, you should visit the ASUS site and follow the instructions about detecting and removing the problem.
Unfortunately, ASUS was less than proactive in getting the word out to its customers that its update system had been breached. In fact, customers might never have known about the breach had Kaspersky not announced it following a long period in which ASUS failed to respond to the issue.
No doubt ASUS will be hearing from European regulators about its failure to notify customers of the breach within the time limits set by the General Data Protection Regulation (GDPR), but that lack to deal with security problems is something of a hallmark for ASUS, which is already under sanctions by the FTC for earlier security failures.
This particular lapse by ASUS appears to be on its way to being solved. The company has issued an update for both the affected computers and for the update software to improve security. In addition, ASUS says that it’s fixed the security problems that allowed hackers poison their update system. One can only hope that their efforts are sufficient, but so far that’s unknown.
The Unknown is the Biggest Problem
The unknown is really the problem here. What do you do when you can’t completely trust the updates from the company that made your computers or your network infrastructure? And it’s important to remember that network devices ranging from Ethernet switches to printers have the ability to install updates automatically.
The answer is that there are a few steps you can take that will help ensure that you’re getting a clean update without a malware payload:
- Check the reputation of the vendor that you’re getting hardware and software from. If a vendor has a series of security failures, as is the case with ASUS, then consider whether there’s something unique about the product that makes it worth the risk. Note that being cheaper is not one of those unique characteristics.
- Designate one non-production machine to receive the update first. When you get the software, inspect it using a trusted anti-malware package. Also look at the packet inspection done by your NG firewall to see if there’s any indication of a problem. Only then install the update on that device you held out, making sure it’s not connected to the company network.
- Pay attention to error messages of other unusual activity from machines you’re updating. ShadowHammer did generate some errors, and IT managers who checked with ASUS noticed that the update they’d received didn’t appear on the list of valid updates.
- Scan the machine after the update to see if there are traces of malware, and also look at the communications from the machine to look for communications with a command and control server. Note that the server may have a name that resembles the name of the legitimate update server. You can use the IP address of the remote destination to discover what server it is.
- Try to receive your updates from the actual manufacturer of the device that you’re updating. Some makers, including Microsoft, may try to use a nearby machine to provide the update code, but unless that machine has adequate security, you run the risk of getting your update from a compromised machine. Note that this includes machines on your own network, unless you’re completely satisfied that your network hasn’t ever been breached and you’re certain that there are no back doors.
The practice of providing automatic updates is both a convenience and a strong security benefit, because it helps IT managers make sure that their machines have current patches and updates, but they’re not foolproof. You can help make them more secure by paying attention when the updates happen and by confirming that the updates are real, and that they’re clean before you apply them.