Software Supply Chain Attack Hits Computer Company Asus

Laura BednarCybersecurity and Vulnerabilities

Asus Supply Chain Attack

ASUS Computer Update Lethal for ASUS Owners

What Asus computer users thought was a legitimate update turned out to be a masked malware attack. Hackers manipulated Asus’s software update and masked their identity to send malicious software through Asus’s servers. The successful malware attempt affected over one million unsuspecting Asus customers.

The Plan Behind the Attack

The majority of Asus users assumed that their regular software update was safe as it showed a valid certificate from the company. Each time a computer company wants to send updates, it must send a code-signed certificate. The hackers figured out a way to digitally sign the company’s Live Update Tool which automatically updates software via the internet.

Contact Us Now

The aim of the code-signed certificate is to ensure the software came from the publisher and protects it from alteration after it goes into effect. This hack makes it difficult for users to be able to trust an update from the company itself, even if it does have the appropriate certificate.

The attackers gained access to the certificates through the company’s sprawling supply chain. This is a line of global developers who create software and other components for Asus’ computers. These particular types of attacks are difficult to pinpoint because they infiltrated the company under the radar.

Finding the Scope of the Attack

Cybersecurity firm, Kaspersky Lab, found the malware disguised as an update in January of this year through a new supply chain detection technology. The program can catch anomalous code fragments hidden in legitimate code or catch code that take over normal operations.

The malware-filled Asus live update was pushed out between June and November of 2018. The file that hackers used was called “setup.exe” and was found to be an old update from 2015 injected with new malicious code and the valid certificate. The unique part of this attack was that the hackers were targeting a select group of people. Though the number of PCs who installed the software is approximately in the hundreds of thousands, there were only 600 MAC addresses that were identified to have experienced second-stage malware issues.

A Media Access Control (MAC) address is a unique identifier for a computer system. It communicates in a network for technologies such as Ethernet or Bluetooth. The hackers cast a broad net with their malware, and were then able to push to find specific information in a smaller group–this clever system allowed for the attack to fly under the radar for as long as it did.

Unusual Connections

The most unsettling part of the attack is that the cybersecurity researchers could not pinpoint what the hackers were looking for in the 600 systems singled out from the near million. While the attack was broad, only the 600 had to worry about a real threat to their system, while the remaining thousands who installed the update would not have any serious issues.

The attack was named “ShadowHammer,” as it is believed that it is related to “ShadowPad,” one of the largest known supply-chain attackers. ShadowPad was linked to the Ccleaner supply chain attack, which also infected millions but only added a second stage backdoor to a select group, much like Asus.

Recovering from a Malware Attack

Asus released a statement following Kaspersky exposing the attack. They explained that they were reaching out to affected users and implemented a fix in their latest version of the Live Update software. They continued saying they took further security steps and “introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism.”

The experts at Secure Forensics can detect and remove malicious malware and spyware from various technological devices. They will not only find and remove the malware, but will give a report detailing the type of malware, when it occurred, and what data was compromised. Call 1-800-288-1407 for more information.