Motherboard, today, reported of a backdoor malware attack on ASUS’ servers, which took place last year between June and November 2018. The attack was discovered by Kaspersky Lab in January 2019 and was named ‘ShadowHammer’ thereafter. Researchers say that the attack was discovered after adding a new supply-chain detection technology to ASUS’ scanning tool to catch anomalous code fragments hidden in legitimate code or catch code that is hijacking normal operations on a machine.
Kaspersky analysts told Kim Zetter, a cybersecurity journalist at Motherboard, that the backdoor malware was pushed to ASUS customers for at least five months before it was discovered and shut down.
Researchers also said that attackers compromised ASUS’ server for the company’s live software update tool. Following which the attackers used it to push the malware to inadvertently install a malicious backdoor on thousands of its customers’ computers. The malicious file, however, was signed with legitimate ASUS digital certificates to make it appear to be an authentic software update from the company.
One of Kaspersky’s spokesperson said, “Over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time… We are not able to calculate the total count of affected users based only on our data; however, we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide”.
According to researchers at Kaspersky Lab, the goal of the attack was to “surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses”. The attackers’ first hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. “We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list”, the researchers mentioned.
Zetter also tweeted about “a Reddit forum from last year where ASUS users were discussing the suspicious software update ASUS was trying to install on their machines in June 2018”
Here’s a @reddit forum from last yr where ASUS users were talking about a suspicious software update ASUS was trying to install on their machines in June 2018 – the same update that @kaspersky Lab discovered two months ago was malicious https://t.co/2LBmNnoWrs https://t.co/gzHfWdKSch
— Kim Zetter (@KimZetter) March 25, 2019
Kaspersky Lab plans to release a full technical paper and presentation about the ASUS attack at its Security Analyst Summit held in Singapore next month. Vitaly Kamluk, Asia-Pacific director of Kaspersky Lab’s Global Research and Analysis Team, said, “This attack shows that the trust model we are using based on known vendor names and validation of digital signatures cannot guarantee that you are safe from malware.”
Zetter writes, “Motherboard sent ASUS a list of the claims made by Kaspersky in three separate emails on Thursday but has not heard back from the company.”
Costin Raiu, company-wide director of Kaspersky’s Global Research and Analysis Team, told Motherboard, “I’d say this attack stands out from previous ones while being one level up in complexity and stealthiness. The filtering of targets in a surgical manner by their MAC addresses is one of the reasons it stayed undetected for so long. If you are not a target, the malware is virtually silent.”
In a press release, Asus stated that the backdoor was fixed in the Live Update version 3.6.8. The company has also “introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism”, the press release states. Additionally, ASUS has also created an online security diagnostic tool to check for affected systems.
To know more about the technical details on this attack, head over to Kaspersky’s website.
UPDATED: In a press release, Asus stated that the backdoor was fixed in the Live Update version 3.6.8. Additionally, ASUS has also created an online security diagnostic tool to check for affected systems.