News

Asus software hack reportedly leaves thousands of PCs exposed

In-house software belonging to tech giant Asus could have been compromised by nefarious actors, a report by Kaspersky Lab says. The Asus Live Update Utility software was reportedly used as a means to install a malicious backdoor on some 57,000 Windows computers – if not hundreds of thousands more beyond its reach – and subsequent malware on a select, targeted few.

Of course, Kaspersky Lab is offering up a salacious name for the attack: Operation ShadowHammer – no doubt making acts of this nature even more alluring to those with the means and will to carry them out. I propose the next large hack be called operation stinker, or operation ****hat. No one wants to be the mastermind behind operation ****hat.

Nevertheless, a compromised server over at Asus HQ was allegedly utilised to send digitally-signed and ‘secure’ software, complete with compromising backdoor, unwittingly to users’ PCs between June and November 2018. Once installed, it would search for pre-determined MAC addresses, hinting toward the targeted nature of this attack, and, if found, connect to a third-party server that would install malware on these machines.

The attack was discovered after Kaspersky Lab implemented a new supply-chain detection technology to its scanning tool to catch this style of dangerous code within legitimate packages, and subsequently reported over at Motherboard. The security company plans on releasing a full technical paper on the proposed Asus attack at the Security Analyst Summit in Singapore.

Hack yourself: Here’s how to overclock your CPU and GPU

The malicious file was actually a three-year-old Asus update file, the report states. This file was injected with malicious code and then spoofed utilising a genuine Asus certificate. Due to the age of the file utilised, Kaspersky does not believe the attackers had access to the entirety of Asus’ systems, only the part necessary for signing certificates for client systems to recognise these as legitimate.

Kaspersky Lab also attempting to contact Asus in January to report the attack. However, Asus denied the claims. It reportedly continued to utilise one of the two compromised certificates in the few months following, but has since ceased its use.

ASUS motherboard CPU socket

Motherboard subsequently contacted a secondary security company, Symantec, to confirm if its customers received the malicious code. It confirmed that at least 13,000 were affected. The full breadth of the attack is not yet confirmed, but estimated in the hundreds of thousands.

“This attack shows that the trust model we are using based on known vendor names and validation of digital signatures cannot guarantee that you are safe from malware,” Vitaly Kamluk, direction of Kaspersky Lab’s Global Research and Analysis team says to Motherboard.

If you were not one of the 600 or so MAC addresses targeted by the attack, the malware would remain relatively low-key – hence it managed to avoid detection for so long. However, the backdoor remained open for exploit on affected systems.

“They were not trying to target as many users as possible,” Kamluk continues. “They wanted to get into very specific targets and they already knew in advance their network card MAC address, which is quite interesting.”

The targeted nature of this attack is a fascinating one, and the security researchers believe the Asus attack may have been connected to a previous – potentially a precursor – CCleaner attack. Asus’ servers were listed among those affected by the widespread CCleaner malware update, and Kaspersky Lab believes this could have been how the attackers gained access to the necessary components for the most recent bout of hacks.

Buy NowAsus tile

PCGN

Similar Posts: