Asus Live Update servers have been compromised, the ones that are used to rollout updates to its devices.
This has resulted to thousands of Asus computers infected by malware. This threat was discovered by Kaspersky Lab after hackers were able to infect Asus servers.
Dubbed as ShadowHammer, the threat was active between June and November 2018. According to Kaspersky’s telemetry gathered data, it left a large amount of Asus customers vulnerable to backdoor attacks one the malware has made contact with its command and control server.
As per their gathered statistics, over 57,000 Kaspersky users have downloaded and instaslled the backdoored version of Asus Live Update at some point during the said months.
Although they cannot give an exact number of affected users based on their data, the problem is probably affecting millions of users worldwide.
“The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation.”
Kaspersky’s researchers were able to extract more than 600 unique MAC addresses from over 200 samples used in the attack, though it noted there might be other MAC address lists out there used for targeted cyberattacks.
A small subset out of the thousands of infected machines appear to be targeted by the hackers. They do have a specific targeted direction but the reason remains unclear.
ShadowHammer has now been neutralized from spreading, and Asus has also released and created an online security diagnostic tool to check for affected systems.
“Asus Live Update is a proprietary tool supplied with ASUS notebook computers to ensure that the system always benefits from the latest drivers and firmware from Asus,” the firm’s statement reads.
“A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group. ASUS customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed.
“ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism.”
The issue has been fixed, however this instance shows another example of how hackers have now targeted the supply chain of software that are guaranteed to infect computers by getting their malicious software digitally signed and easier for them to do the exploits once you have it on your machine.
This has happened before with CCleaner and it was quickly patched up. Malware developers will still target supply chains for them to be unnoticed and have a wide-spread infection base.
Computer manufacturers and other companies that distribute software online should rigorously check their supply chains to prevent this from happening again.