ASUS Software Update used by Hackers to Attack Millions of Users
Till date, the CCleaner hack that happened in September 2017 was the biggest cyber attack of all time. It witnessed the biggest supply chain attack that infected almost 2.3 million users.
This, however, has now been overshadowed as a bigger unimaginable supply chain attack has been tracked by researchers. This attack has affected over 1 million computers. According to the report’s hackers have attacked the computers that were manufactured by ASUS.
What Are Supply Chain Attacks?
Supply Chain Attacks are attacks where hackers generate a scripted platform that looks genuine. This creates ambiguity, which makes it easy for attackers to spread malware infection in a legitimate manner to earn capital.
What is the Hack all about?
As per the blog posted by Kaspersky:
“A threat actor modified ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility, and then distributed it to users through official channels.
The trojanized utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time. The criminals even made sure the file size of the malicious utility stayed the same as that of the original one.”
Kaspersky has named the attack ShadowHammer and researchers are linking it to the malware named ShadowPad that have earlier been used in supply chain attacks. In this attack, the hackers used an old ASUS update from year 2015 and modified it intelligently and then silently pushed it to the ASUS computers. This was discovered by Kaspersky this January and the same was reported to the company for planning the defense strategy.
As per the news, the customers of ASUS were not informed about the same until Kaspersky announced the attack. As per Kaspersky statistics:
“More than 57,000 users of Kaspersky Lab’s products have installed the backdoored utility, but we estimate it was distributed to about 1 million people total. The cybercriminals behind it were not interested in all of them, however — they targeted only 600 specific MAC addresses, for which the hashes were hardcoded into different versions of the utility. To check if your MAC address is on the target list, use our tool, which you’ll find at here.”
ASUS has finally started reaching its customers and is now assisting the affected users to remove the security risks. As per a statement given by the company:
The company has released a new updated version of the Live Update software i.e. ver. 3.6.8. With it, the company has incorporated various mechanisms to verify the security, so that hackers cannot manipulate the software updates. A more advanced end-to-end encryption method has also been fused to increase the defense mechanism and an advanced server-to-end-user architecture to avert any future attacks.
Who Are The Victims?
The ShadowHammer attack is said to be distributed across 1 Million ASUS machines, however, not all have been impacted by the attack except the 600 machines with specific MAC addresses that were the main target.
Kaspersky has published a list of MAC addresses, they suspect have been affected the most so that the victims can be contacted and the main reason behind the attack can be found.
There have been many instances where contaminated updates have been the culprit behind supply chain attacks, which otherwise were genuine software platforms. The NotPetya outbreak in May 2017, the CCleaner attack in June 2017 are some examples of the Supply Chain attacks commonly known as ShadowPad attacks.
While these were considered the biggest attacks of time, a company as big as ASUS being attacked show the bitter truth of how attackers compromise the supply chain models to earn capital.