On Monday, we saw once again how criminals can exploit trust and use it as a weakness.
Cybersecurity reporter Kim Zetter revealed that one of the world’s largest computer manufacturers, Taiwan-based ASUS, had mistakenly installed a backdoor program dubbed “ShadowHammer” onto the computers of thousands of customers after hackers infiltrated the company’s automated software update system.
Experts offering initial estimates suggest the trojanized update may have affected up to half a million Windows machines. Kaspersky reported 57,000 users of ASUS’s product were attacked, “but we estimate it was distributed to about 1 million people total.” Symantec telemetry showed 13,000 infections (80 percent of which were consumers, not organizations). The full scope of the attack has yet to be established.
The attacker’s motive remains unclear, but Kaspersky noted that 600 MAC addresses were specifically targeted, even though the malicious update affected far more.
Gizmodo has reached out ASUS for a comment and we’ll update as soon as one is provided. Zetter said she first reached out to ASUS on Thursday but had yet to get a response.
ShadowHammer is what’s known as a supply-chain attack—when hackers compromise targets by injecting malicious code into the hijacked software update of a third-party service. On average, businesses are far less suspicious of these updates because they’re deployed by vendors whose software is already trusted. Applying updates is also something IT professionals are told to do right away, as they routinely contain security patches intended to make a product safer.
This form of transitive trust is becoming increasingly perilous due to an uptick in supply-chain attacks, as several end-of-2018 analyses on the evolving threat landscape described. Symantec, for example, found that supply-chain attacks had increased by 78 percent compared to the previous year. Notable incidents involved CCleaner, a widely used security clean up tool, and the notPetya attacks, in which a payload was injected into Ukrainian accounting software.
Noting that the malicious file was signed using ASUS’s digital certificates and distributed through official channels, a research and analysis director at Kaspersky told Zetter that the incident illustrates “that the trust model we are using based on known vendor names and validation of digital signatures cannot guarantee that you are safe from malware.”
As she noted, ASUS has previously settled charges brought by the Federal Trade Commission (FTC) over vulnerabilities in its routers—flaws that it was accused of concealing from consumers for a year or more—by promising to “establish and maintain a comprehensive security program subject to independent audits for the next 20 years.”
It’s too early to tell whether the FTC will take action and investigate this incident, or whether it will consider it a violation of its previous order. (The FTC Act empowers the commission to seek civil penalties and/or injunctive relief when companies violate such agreements.)
“While investigating this attack, we found out that the same techniques were used against software from three other vendors. Of course, we have notified ASUS and other companies about the attack,” reported Kaspersky, which also advised anyone using the ASUS Live Update Utility to update it at once.
A technical paper revealing more about ShadowHammer will be released, the company said, during the Kaspersky Security Analyst Summer next month.
Update, 3/27: ASUS released the following statement:
ASUS Live Update is a proprietary tool supplied with ASUS notebook computers to ensure that the system always benefits from the latest drivers and firmware from ASUS. A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group. ASUS customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed.
ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future
ASUS also released an online diagnostic tool which it says can be used to check for affected systems. (Use at your own discretion.)