1 million ASUS computers targeted by hackers through malicious ASUS Live Update Utility software
The Russian cybersecurity firm Kaspersky Labs in a blog post disclosed that they detected a new advanced persistent threat (APT) campaign that compromised system updates to install a malicious backdoor on ASUS laptops and desktops of over 1 million users in what is known as a supply chain attack.
Kaspersky Lab has described the ASUS hack as a “one of the biggest supply-chain attacks ever.”
Apparently, the hackers behind the APT operation dubbed ‘ShadowHammer’ modified the ASUS Live Update Utility – a pre-installed utility in most new ASUS computers – which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops. The hackers injected a backdoor in the ASUS Live Update Utility between June and November last year, which was discovered by Kaspersky researchers in January 2019.
Kaspersky Labs estimate that the backdoored version of ASUS Live Update was downloaded and installed by more than 57,000 Kaspersky users, but it was distributed to around 1 million people.
✔@craiuAsus Live Updater was used in a big supply chain attack we dubbed Operation #ShadowHammer. We estimate this may have affected over 1 million computer users between June and Nov 2018. https://motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers …
Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers
The Taiwan-based tech giant ASUS is believed to have pushed the malware to hundreds of thousands of customers through its trusted automatic software update tool after attackers compromised the...
“Each backdoor code contained a table of hardcoded MAC addresses – the unique identifier of network adapters used to connect a computer to a network. Once running on a victim’s device, the backdoor verified its MAC address against this table. If the MAC address matched one of the entries, the malware downloaded the next stage of malicious code. Otherwise, the infiltrated updater did not show any network activity, which is why it remained undiscovered for such a long time. In total, security experts were able to identify more than 600 MAC addresses. These were targeted by over 230 unique backdoored samples with different shellcodes.”
The researchers found that “If the MAC address matched one of the entries, the malware downloaded the next stage of malicious code. Otherwise, the infiltrated updater did not show any network activity.”
A search for similar malware by Kaspersky researchers found that another three vendors based in Asia too were infected with the same backdoor software.
Vitaly Kamluk, Director of Global Research and Analysis Team for APAC at Kaspersky Lab, said: “The selected vendors are extremely attractive targets for APT groups that might want to take advantage of their vast customer base. It is not yet very clear what the ultimate goal of the attackers was and we are still researching who was behind the attack. However, techniques used to achieve unauthorized code execution, as well as other discovered artefacts suggest that ShadowHammer is probably related to the BARIUM APT, which was previously linked to the ShadowPad and CCleaner incidents, among others. This new campaign is yet another example of how sophisticated and dangerous a smart supply chain attack can be nowadays.”
Kaspersky contacted ASUS on January 31 to inform them about the supply chain attack targeting the ASUS Live Update utility, and its investigation is ongoing. They also informed the other three unnamed vendors about the attacks.
Kaspersky Lab will be presenting full findings on Operation ShadowHammer at Security Analyst Summit 2019 scheduled to be held in Singapore from April 9 to April 11.