News

Asus Computers Targeted for Attack Using Compromised Update Software

• By Kurt Mackie
• 03/25/2019

Software security firm Kaspersky Lab announced on Monday that Asus computer users were targeted last year with malware via Asus' update utility in a so-called "supply-chain attack."

The attackers were able to modify the Asus Live Update Utility, which is used to deliver firmware and software updates to those machines. Asus machines get shipped with this utility preinstalled.

Update 3/26: Asus posted a response on Tuesday to "media reports" about its compromised Asus Live Update tool. It offered a diagnostic tool for users to check if their Asus machines were affected, although Asus is also contacting the targeted users. The latest version of Asus Live Update (version 3.6.8) also includes added security measures, Asus claimed. The company also "strengthened our server-to-end user software architecture" to ward off similar exploits. "Only a very small number of specific user group[s] were found to have been targeted by this attack," Asus claimed.

The modified utility software, dubbed "Operation ShadowHammer" by Kaspersky Lab, served as a "backdoor" for delivering even more malware. The dropped malware was thought to be targeted to specific users based on a list of MAC addresses.

Kaspersky Lab was able to find 600 MAC addresses that were "hardcoded into different versions of the utility" for targeting users, although the malware went out to "about 1 million people total." The security firm got that information from just 200 of its samples, though, and so possibly more malware might have been sent. Most of the Asus users who got the malicious utility software were in Russia, followed by Germany, France, Italy and the United States, according to a chart published in this Kaspersky Lab SecureList post.

It's thought that not everyone was targeted for attack. Kaspersky Lab has published this ShadowHammer portal where Asus users can check if they were targeted by entering their MAC addresses.

Asus machine users got the malware disguised as an update to the utility software. This fake update was delivered from Asus' own servers, according to Kaspersky Lab, and bore a legitimate Asus certificate. Security software firm Symantec also reportedly confirmed that Asus' servers were the source of the fake utility software update, according to this Motherboard story. Asus continued to use the compromised certificates for "at least a month" after being notified until ending their distribution, according to Motherboard's account. However, the certificates still haven't been invalidated by Asus, according to Kaspersky Lab, which means they could still be used.

The attack was active between June and November of 2018. Kaspersky Lab notified Asus about the problem on Jan. 31, 2019, according to a Threatpost story by Kaspersky Lab. A representative from Kaspersky Lab met personally in February with an Asus representative, but Asus was described as being "largely unresponsive" since that meeting, according to the Motherboard story.

Kaspersky Lab is attributing the attack to the Barium group, an advanced persistent threat effort purported to be "China backed," according to the Threatpost story. The attack is deemed similar to attacks carried out in 2017 using the CCleaner software utility and the NetSarang server management software (known as the "ShadowPad" attack).

Since Asus had been targeted by the CCleaner attack, it's thought that the CCleaner attack was used to compromise Asus' network, which later led to carrying out the ShadowHammer attack, according to the Motherboard story.

There's apparently no published reaction as of Monday afternoon from Asus on all of these claims. Kaspersky Lab is planning to describe further details at the SAS 2019 conference next month in Singapore.