ASUS Live Update Utility, the online update driver used by ASUS users worldwide, was recently compromised.
Hackers added a backdoor to the utility distributed on official channels on ASUS’ server. Distributed and pre-installed into around 1 million users devices in total, hackers had the opportunity to deploy further malicious codes. According to Kaspersky researchers, hackers targeted 600 specific Media Access Control (MAC) addresses by hardcoding a list of addresses. At this point, hackers used the hardware addresses, used to connect a computer to a network, to then download further malicious code. With this access, they further installed and affected these devices.
Operation ShadowHammer
Dubbed Operation ShadowHammer, the attack took place between mid to late last year with many users affected. Over 57,000 Kaspersky users downloaded the update with the backdoor access at some point whilst it was active. ASUS users affected were mainly based in Russia and Germany. Users in Poland, UK, Japan and Brazil were also impacted but at a lesser degree. Kaspersky believe the trends are similar to those of an Advanced Persistant Threat (APT) group and could, therefore, be a state-sponsored attack. In addition, hackers use persistence to try and get as much information as possible by staying undetected for as long as is possible. It was able to successfully do this by signing legitimate certificates and hosted them on the official ASUS update channel, liveupdate01s.asus[.]com.
Kaspersky further linked the attack to the Microsoft 2017 ShadowPad incident. APT Group BARIUM used the Winnti backdoor to make DNS requests from a financial transaction system. The software, NetSarang did not make these requests and investigations by Kaspersky led to the findings of a malicious module hidden in the actual software of NetSarang. BARIUM are reportedly a Chinese state player.
Response to Findings
ASUS was notified at the end of January and are yet to respond or to advise its customers but after a month of notification, ASUS stopped using the compromised certificates. It did not however invalidate the certificates making it possible for hackers to still sign malicious files with it. ASUS’ security came under scrutiny in 2016 when findings revealed vulnerabilities in its cloud back-ups and routers. It allowed hackers to gain access to its’ users’ credentials. The Federal Trade Commission eventually charged ASUS with misrepresentation and unfair security practices. The Commission ordered ASUS to put in place a security programme auditable for 20 years.
Kaspersky’s investigation continues and it will release its extensive report next month at the Security Analyst Summit in Singapore. Users should ensure endpoint security measures are in place to monitor and safeguard against this vulnerability until ASUS remediate the vulnerability.
Let us know your thoughts in the comment section.