Backdoors have been installed on thousands of computers through ASUS updates
Researchers at Kaspersky Lab state that ASUS was used unwittingly to install a malicious backdoor on thousands of its customers’ computers last year after attackers compromised a server for the company’s live software update tool.
The malicious file was signed with legitimate ASUS digital certificates in order to make it appear to be an authentic software update from the company.
ASUS’ server was pushing the backdoor to customers for at least five months last year before it was discovered.
Their live update tool that delivered the malware to customers last year is installed at the factory on ASUS laptops and other devices. When users enable the live update tool on their machine, the tool contacts the ASUS update server periodically to see if any firmware or other software updates are available.
The Kaspersky Lab researchers estimate that half a million Windows machines received the malicious backdoor through the ASUS update server. It appears that the attackers so far have only been targeting about 600 of those systems.
The malware searched for the targeted systems through their unique MAC addresses and, once found, reached out to a command-and-control server, which then installed additional malware on those machines.
It’s been noted that the attackers were not trying to target as many users as possible, but they wanted to gain access to very specific targets. The interesting thing is that they already knew in advance the network card MAC addresses of their intended victims.
Early hints that a signed and malicious ASUS update was being pushed to users came back in June of 2018. At that time a number of people posted comments in a Reddit forum about a suspicious ASUS alert that popped up on their machines for a “critical” update.
The posters included the language of the update, which read, “ASUS strongly recommends that you install these updates now.”
When the original poster and other users clicked on their ASUS updater tool to get information about the update, the tool showed that ASUS had not issued any recent updates.
Since the file was digitally signed with an ASUS certificate and because scans of the file on the VirusTotal website indicated that it was not malicious, many accepted the update as legitimate and downloaded it to their machines.
VirusTotal is a website that aggregates dozens of antivirus programs. Users can then upload suspicious files to the site to see if any of the tools detect that the file is malicious.
Kaspersky Lab uncovered the malicious update attack in January of 2019. After that, the researchers then created a signature to find the malicious update file on other customer systems. They discovered that more than 57,000 Kaspersky customers had been infected. That number of infections only accounts for Kaspersky customers and the real number of those infected is likely to be in the hundreds of thousands.
They plan to release a full technical paper and presentation about the ASUS attack, dubbed ShadowHammer, next month at its Security Analyst Summit in Singapore.
This issue highlights the growing threat from what are called supply-chain attacks.
With supply-chain attacks, malicious software or components get installed on systems as they’re manufactured or assembled, or afterward via trusted vendor channels.
Last year, the US launched a supply-chain task force to examine the issue after a number of supply-chain attacks were uncovered in recent years.
Although most attention on supply-chain attacks focuses just on the potential for malicious implants to be added to hardware or software during manufacturing, software updates are an ideal way for attackers to deliver malware to systems after those systems are sold, as customers trust vendor updates, especially if those updates are signed with a vendor’s legitimate digital certificate.
Vitaly Kamluk, Asia-Pacific director of Kaspersky Lab’s Global Research and Analysis Team states, “This attack shows that the trust model we are using based on known vendor names and validation of digital signatures cannot guarantee that you are safe from malware.”
Kamluk also noted that ASUS denied to Kaspersky that its server was compromised and that the malware came from its network when the researchers contacted the company in January. Unfortunately for ASUS, the download path for the malware samples that Kaspersky collected lead directly back to the ASUS server.
There were also two different attacks discovered in 2017 that also compromised trusted software updates. One of those attacks involved the computer security cleanup tool known as CCleaner that was inadvertently delivering malware to its customers via a software update. More than 2 million customers received that malicious update before the malware was discovered.
The other attack involved the infamous notPetya attack that begin in Ukraine and infected machines through a malicious update to an accounting software package.
Kamluk went on to state that “Supply chain attacks are in the ‘big deal’ category and are a sign of someone who is careful about this and has done some planning. But putting something out that hits tens of thousands of targets when you’re really going only after a few is really going after something with a hammer.”
ASUS was one of the primary targets of the CCleaner attack in 2017, and one of the possibilities being taken into account is that attack may be how the attackers initially gained access to the ASUS network, and later managed to use their access in this most recent malware attack.
As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648