Warning: ASUS Software Update Server Hacked to Distribute Malware
Remember the CCleaner hack?
CCleaner hack was one of the largest supply chain attacks that infected more than 2.3 million users with a backdoored version of the software in September 2017.
Security researchers today revealed another massive supply chain attack that compromised over 1 million computers manufactured by Taiwan-based tech giant ASUS.
A group of state-sponsored hackers last year managed to hijack ASUS Live automatic software update server between June and November 2018 and pushed malicious updates to install backdoors on over one million Windows computers worldwide.
According to cybersecurity researchers from Russian firm Kaspersky Lab, who discovered the attack and dubbed it Operation ShadowHammer, Asus was informed about the ongoing supply chain attack on Jan 31, 2019.
After analyzing over 200 samples of the malicious updates, researchers learned that hackers did not want to target all users, instead only a specific list of users identified by their unique MAC addresses, which were hardcoded into the malware.
Like the CCleaner and ShadowPad hacks, the malicious file was signed with legitimate ASUS digital certificates in order to make it look an official software update from the company and to remain undetected for a long time
Researchers didn’t attribute the attack to any APT group at this moment, but certain evidence linked the latest attack to the ShadowPad incident from 2017, which Microsoft attributed to the BARIUM APT actors behind the Winnti backdoor
According to Kaspersky, the backdoored version of ASUS Live Update was downloaded and installed by at least 57,000 Kaspersky users.
Symantec told Vice that the company identified the malware on more than 13,000 machines running its antivirus software.
Most of the victims Kaspersky detected are from Russia, Germany, France, Italy, and the United States, though the malware infected users from around the world.
Kaspersky has notified ASUS and other antivirus companies of the attack while the investigation into the matter is still ongoing.
The antivirus firm has also released an automated tool for users to check whether they had specifically been targeted by the ShadowHammer advanced persistent threat.