Asus Servers Hijacked To Push Malware To Customers

Hackers compromised the servers belonging to Taiwanese PC maker Asus last year, according to researchers at security firm Kaspersky Lab.

To make matters even worse, the attackers then used the compromised server to hijack the PC maker’s software update tool to push out malware onto thousands of its customers’ computers.

The hacker operation, dubbed ShadowHammer, was first reported by security website Motherboard, and the attack was so sophisticated that the malicious file was apparently signed with legitimate Asus digital certificates to make it appear to be an authentic software update.

ShadowHammer attack

Kaspersky Lab said that it had discovered this “sophisticated supply chain attack involving the ASUS Live Update Utility” in January this year.

It informed Asus of its compromised server on 31 January and supported its investigation into the matter.

The attack took place between June and November 2018 and “affected a large number of users,” said Kaspersky Lab.

It should be remembered that Asus Live Update is pre-installed on most Asus computers. It automatically updates certain components on the machine such as BIOS, UEFI, drivers and applications.

“Based on our statistics, over 57,000 Kaspersky users have downloaded and installed the backdoored version of Asus Live Update at some point in time,” wrote Kaspersky Lab. “We are not able to calculate the total count of affected users based only on our data; however, we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide.”

So what did the attackers do with the compromised update tool?

Well according to Kaspersky Lab, the the aim of the attack was to “surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses.”

It is thought that just 600 machines were specifically targetted by the attackers.

“We believe this to be a very sophisticated supply chain attack, which matches or even surpasses the Shadowpad and the CCleaner incidents in complexity and techniques,” said the researchers. “The reason that it stayed undetected for so long is partly due to the fact that the trojanized updaters were signed with legitimate certificates (eg: “ASUSTeK Computer Inc.”). The malicious updaters were hosted on the official liveupdate01s.asus[.]com and liveupdate01.asus[.]com ASUS update servers.”

Supply chain attack

A number of security experts pointed out the dangers posed by supply chain attackers, where attackers exploit the customer’s trust of certain software from reputable vendors.

“Chains of trust utilising certificate signing to push software updates or patches are an important tool to prevent unauthorised patches,” said Thomas Richards, associate principal consultant at Synopsys.

“However, they need to be carefully monitored at all times to ensure that the chain of trust has not been broken,” said Richards. “Proper monitoring tools and policies should exist which verify software before it is sent to customers. This verification should contain an approvals paper trail which will highlight where the software originated from, the purpose, and the individual approvers in the various steps of the chain before the software was published.”

Another expert warned Asus customers to check if they were the few that the attackers had specifically targetted.

“While Asus may have released a fix, if you’ve already been compromised that might not be enough,” said Tim Erlin, VP of product management and strategy at Tripwire. “Affected users need to find out whether the attackers have actually targeted them, and then they need to assess the extent of the compromise.”

“This attack leveraged a very broad platform, the Asus updates, but then strategically targeted a small set of those initially compromised for further attack,” said Erlin. “The fix from Asus doesn’t help us understand who was targeted and why.”

“We still have relatively little information about how Asus was compromised,” Erlin added. “Information sharing is an important means by which we get better as an industry.”

The point about the small number of people being specifically targetted was also picked up by another expert.

“This is a complex attack – the attackers ensured that only a very small group of targeted individuals were affected,” said Martin Jartelius, CSO of Outpost24. “ Those targets were likely to have been identified by the MAC address of their systems, meaning the attacker must have been on the same network as them, or had previous access to their systems.”

“The attackers were prepared to use this access to disrupt a million plus users as collateral damage in order to get to about 600 pinpointed systems,” Jartelius cautioned. “As we know little about the breach, not much can be said beyond speculation. If the code signing keys were present in the environment of the update servers, and accessible to the attackers, this could be a failure in a defence in depth setup.”

And finally Justin Fier, director of cyber intelligence and analytics at Darktrace, said this attack is perfect example of how cyber attacks have changed, and grown increasingly sophisticated, with nation states sometimes becoming involved.

“This new hacking campaign leveraging Asus hardware is perfectly emblematic of the brave new world of cyber in which we live,” said Fier. “It has all the hallmarks of a well-planned cyber operation – it’s highly targeted, resource-intensive, and nearly impossible to detect.”

“Any threat-actor would require a tremendous amount of resources and backing to acquire the authentic certs from Asus in order to enter the supply chain,” said Fier. “This of course initiates the guessing game of who might be behind the campaign – and it isn’t too far-fetched to posit that nation states with loose cyber offense laws or international cyber-crime rings could be behind the activity.”

“But perhaps more alarming is the highly targeted nature of the attack – this is where we should be focusing our attention,” said Darktrace’s Fier. “In the entire world, these attackers were targeting just 600 machines. It’s only a matter of time before we find out that these targeted machines or people will have a unique thread linking them all together.”

Do you know all about security? Try our quiz!