Taiwanese computer maker ASUS may have inadvertently distributed malware to over 1 million users of its systems worldwide after attackers compromised software update servers at the company last year, Kaspersky Lab said in a report Monday.
Available telemetry shows the attackers planted the malware, disguised as legitimate software, on servers that ASUS uses to automatically push out software and firmware updates to users of its systems. The poisoned updates were hard to spot and block because they were digitally signed using legitimate ASUS certificates, Kaspersky Lab said.
The attacks happened between June and November 2018 and impacted ASUS customers that had enabled the ASUS Live Update utility on their systems. The utility is preinstalled on most ASUS computers and is used to automatically update applications, software drivers, firmware, and other components.
Though the rogue updates were likely installed on a large number of ASUS systems, the attackers themselves appear to have been interested in only a select few, based on a list of unique MAC addresses hard-coded into the malware, Kaspersky Lab said. "For now the real targets of this attack, surgically selected by 600-plus MAC addresses, remain unknown," says Costin Raiu, director of Kaspersky Lab's Global Research and Analysis Team. "We continue to investigate this attack and hopefully will be able to answer this question soon."
ASUS did not respond to a request for comment via its general media inquiry email address.
The attacks, which Kaspersky Lab has dubbed Operation ShadowHammer, is not the first time threat actors have attempted to distribute malware tools by embedding them into legitimate software products and updates.
In 2017 a threat group managed to install a multistage data-stealer into a version of Avast's CCleaner software that hundreds of thousands of users later downloaded to their systems. Then, as now, the malware impacted a large number of people, though one of the main goals of the campaign was to steal sensitive data from a handful of targeted technology companies, including Cisco, Microsoft, Google, Sony, and HTC.
In another incident, a Chinese threat group quietly embedded a backdoor Trojan, dubbed ShadowPad, into a server management software product from NetSarang Computer that was used by many large organizations.
Supply Chain Attack Challenges
"Catching supply chain attacks is extremely difficult [and is] possibly one of the biggest problems in IT security at the moment," Raiu says. Kaspersky has been working on new technologies for spotting such attacks based on code anomalies, code similarity, and traffic checking. "One of these technologies allowed us to catch the ShadowHammer attacker, as well as several attacks that we suspect are related," he says.
According to Kaspersky Lab, its investigation suggests that the group behind the attacks on ASUS systems is Barium, a threat actor that Microsoft recently identified as being responsible for embedding ShadowPad in NetSarang's software. Barium is also believed to be behind several attacks on developers of gaming applications, Kaspersky Lab said, pointing to a report from ESET.
One aspect of the ShadowHammer attacks that remains unclear is how exactly the attackers obtained the unique MAC addresses of the intended victims. "Although we do not know for sure, we believe these may have been obtained through previous supply chain attacks, such as ShadowPad and CCleaner," Raiu notes.
"Barium poses a very large threat to enterprise organizations," says Tom Hegel, security researcher at AT&T Cybersecurity’s Alien Labs. The group is associated with "Winnti," a larger umbrella group tied to numerous previous cyber intelligence operations against big organizations, he notes.
Barium's typical tactic is to attack organizations with a large distribution of users and then using those organizations to pursue targets aligned with their long-term interests, he says. The attacks usually involve the use of malware signed with stolen code signing certificates, Hegel notes. "This adversary is able to conduct large scale attacks to go after a small few individuals, which provides context into their sophistication and strong capability to pursue a mission," Hegel says.
Mark Orlando, CTO of cyber protection solutions at Raytheon Intelligence, Information and Services, says the presence of MAC addresses indicates the wide-ranging ShadowHammer attack was launched for the purpose of targeting a relatively small number of very specific devices.
Detecting ShadowHammer-like attacks can be extremely challenging for organizations, he says. Even those taking the extra precaution of comparing new software update files to the "official" update using hash values wouldn't have uncovered anything suspicious since the attackers replaced legitimate updates on the server with their own, Orlando notes.
Also, in this particular instance, the malware is designed to sit dormant if the victim machine's hardware address doesn't match with the MAC number of one of the 600 intended targets. Only defenders that know what to look for in advance have much of a chance to detect and stop such attacks, Orlando says.
"The best protection against this threat is a skilled defender who can quickly assess the malicious files or review available reporting and hunt for matching behaviors," he notes. Monitoring for suspicious network traffic to domain lookalike sites might also help detect second-stage downloads of additional malicious code.
"Overall, organizations must update their threat models to include signed updates from trusted sources, and avoid excluding those updates from security monitoring and other detection mechanisms," Orlando says.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.