Large software and hardware manufacturers are generally a trusted source for updates, but that same level of trust with consumers is what makes these groups a heavy target for hackers. The recent infiltration of ASUS made it all too clear that no one is safe from the threat of malware attacks. The Taiwan-based tech giant recently was the high-profile victim of hackers as their automatic update tool was leveraged to distribute a malicious backdoor on nearly a million computers and other devices before the discrepancy was identified — over five months after the update was launched.
Trusted Digital Signature — Tainted Software
The malware distribution took so long to identify due to the accurate digital signature that the hackers were able to put in place. ASUS computers accepted the malware due to the “acceptable” digital signature, even though the software package itself was tainted. The delivery package was only the first wave of the attack, opening a potential vulnerability in the systems that were affected. Now, hackers are able to target these machines at will. To date, only about 600 machines have been hit with this second-stage attack. The hack happened sometime in late 2018, with Kapersky notifying ASUS of the situation in January 31, 2019.
ASUS Implements Advanced Security Measures
How is ASUS responding? Oddly enough, they didn’t raise the alarm with customers until digital security firm Kapersky went public with their findings around the attack, which they’re calling ShadowHammer. This notification to customers downplayed the severity of the attack, calling it an “attempt to target a very small and specific user group” in the official statement posted on their website. ASUS noted that they released a fix in the most recent version of the Live Update, one that included additional security measures that were meant to reduce the possibility of this happening in the future. Not only did the company strengthen its end-to-end software architecture, but they also enhanced the overall encryption of their updates.
Supply Chain Attacks Growing in Prominence
This is far from the first time that attackers have decided to go up the supply chain to target computers. The notPetya cyberattack that devastated machines throughout the US, Europe, Australia and Asia was delivered as an upgrade to popular accounting software that experts claim was made not for the demanded ransom — but just to spread mayhem throughout the world. The hackers who built and distributed the ransomware used much of the code from Petya, but that is where the similarities ended. With notPetya, the cybercriminals clearly didn’t think through their process for collecting money from victims, as it quickly disintegrated under the pressure of organizations attempting to pay and request their unlock keys. Unfortunately, the damage was already done as not Petya spread rapidly through networks, infecting machines and destroying files as it went. Microsoft, CCleaner and Transmission are a few other organizations that have been the victim of this type of attack vector over the past decade.
Are My Computers Infected?
With any attack of this scale, the first question on business owners’ minds is whether or not their organization may be vulnerable to this particular issue with ASUS. The service professionals at ASUS have been busily reaching out to customers since the update was released, along with the recommendation that you update their latest security patches and updates to ensure that the effects of the hack are washed from your system. Security giant Kapersky Labs has created an easy tool to determine whether your device was one of the millions affected by ShadowHammer, with the results based on your MAC address.
With hundreds of thousands of devices receiving the primary payload and only 600 devices targeted for a secondary wave, cyberattacks such as ShadowHammer are meant to cast a wide net in the hopes of getting the highly detailed information on a limited audience that they need. A key benefit of working with an IT solutions provider is their constant focus on security, allowing them to proactively scan sources such as Kapersky and take immediate measures to remediate the scope of the attack.
Author: Aaron White, Date: 16th April 2019