Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:10 PM
Connect Directly

Attackers Compromise ASUS Software Update Servers to Distribute Malware

ShadowHammer campaign latest to highlight dangers of supply chain attacks.

Taiwanese computer maker ASUS may have inadvertently distributed malware to over 1 million users of its systems worldwide after attackers compromised software update servers at the company last year, Kaspersky Lab said in a report Monday.

Available telemetry shows the attackers planted the malware, disguised as legitimate software, on servers that ASUS uses to automatically push out software and firmware updates to users of its systems. The poisoned updates were hard to spot and block because they were digitally signed using legitimate ASUS certificates, Kaspersky Lab said.

The attacks happened between June and November 2018 and impacted ASUS customers that had enabled the ASUS Live Update utility on their systems. The utility is preinstalled on most ASUS computers and is used to automatically update applications, software drivers, firmware, and other components.

Though the rogue updates were likely installed on a large number of ASUS systems, the attackers themselves appear to have been interested in only a select few, based on a list of unique MAC addresses hard-coded into the malware, Kaspersky Lab said. "For now the real targets of this attack, surgically selected by 600-plus MAC addresses, remain unknown," says Costin Raiu, director of Kaspersky Lab's Global Research and Analysis Team. "We continue to investigate this attack and hopefully will be able to answer this question soon."

ASUS did not respond to a request for comment via its general media inquiry email address.

The attacks, which Kaspersky Lab has dubbed Operation ShadowHammer, is not the first time threat actors have attempted to distribute malware tools by embedding them into legitimate software products and updates.

In 2017 a threat group managed to install a multistage data-stealer into a version of Avast's CCleaner software that hundreds of thousands of users later downloaded to their systems. Then, as now, the malware impacted a large number of people, though one of the main goals of the campaign was to steal sensitive data from a handful of targeted technology companies, including Cisco, Microsoft, Google, Sony, and HTC.

In another incident, a Chinese threat group quietly embedded a backdoor Trojan, dubbed ShadowPad, into a server management software product from NetSarang Computer that was used by many large organizations.

Supply Chain Attack Challenges
"Catching supply chain attacks is extremely difficult [and is] possibly one of the biggest problems in IT security at the moment," Raiu says. Kaspersky has been working on new technologies for spotting such attacks based on code anomalies, code similarity, and traffic checking. "One of these technologies allowed us to catch the ShadowHammer attacker, as well as several attacks that we suspect are related," he says.

According to Kaspersky Lab, its investigation suggests that the group behind the attacks on ASUS systems is Barium, a threat actor that Microsoft recently identified as being responsible for embedding ShadowPad in NetSarang's software. Barium is also believed to be behind several attacks on developers of gaming applications, Kaspersky Lab said, pointing to a report from ESET.

One aspect of the ShadowHammer attacks that remains unclear is how exactly the attackers obtained the unique MAC addresses of the intended victims. "Although we do not know for sure, we believe these may have been obtained through previous supply chain attacks, such as ShadowPad and CCleaner," Raiu notes.

"Barium poses a very large threat to enterprise organizations," says Tom Hegel, security researcher at AT&T Cybersecurity’s Alien Labs. The group is associated with "Winnti," a larger umbrella group tied to numerous previous cyber intelligence operations against big organizations, he notes.

Barium's typical tactic is to attack organizations with a large distribution of users and then using those organizations to pursue targets aligned with their long-term interests, he says. The attacks usually involve the use of malware signed with stolen code signing certificates, Hegel notes. "This adversary is able to conduct large scale attacks to go after a small few individuals, which provides context into their sophistication and strong capability to pursue a mission," Hegel says.

Mark Orlando, CTO of cyber protection solutions at Raytheon Intelligence, Information and Services, says the presence of MAC addresses indicates the wide-ranging ShadowHammer attack was launched for the purpose of targeting a relatively small number of very specific devices.

Detecting ShadowHammer-like attacks can be extremely challenging for organizations, he says. Even those taking the extra precaution of comparing new software update files to the "official" update using hash values wouldn't have uncovered anything suspicious since the attackers replaced legitimate updates on the server with their own, Orlando notes.

Also, in this particular instance, the malware is designed to sit dormant if the victim machine's hardware address doesn't match with the MAC number of one of the 600 intended targets. Only defenders that know what to look for in advance have much of a chance to detect and stop such attacks, Orlando says.

"The best protection against this threat is a skilled defender who can quickly assess the malicious files or review available reporting and hunt for matching behaviors," he notes. Monitoring for suspicious network traffic to domain lookalike sites might also help detect second-stage downloads of additional malicious code.

"Overall, organizations must update their threat models to include signed updates from trusted sources, and avoid excluding those updates from security monitoring and other detection mechanisms," Orlando says.

Related Content:




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
4/18/2019 | 2:19:52 AM
Millions within seconds
This is one of the many reasons why I am skeptical each time I see my computer prompting me to install updates. I am not 100% certain if they are to upgrade my security or increase its risks entirely. Attacking through updates is definitely a highly devious method which can easily hit millions within a short timeframe.
User Rank: Author
3/26/2019 | 6:43:35 PM
Certificates Not Revoked
Perhaps the most appalling aspect of this story is ASUS has still not revoked the certificates that attackers used to sign their malware.

Two possibilities:
  1. Attackers compromised these certificates; they have their private keys.
  2. Attackers did not compromise the private keys, instead only gainning sufficient access to cause ASUS signing infrastructure to sign whatever binary blob they requested.

In both cases, certificate revocation is absolutely essential and should have been done immediately. Even if the attackers didn't compromise the private keys, revoking the certs would prevent users from installing the signed malware, including malware signed by those keys that may have escaped detection thus far.
User Rank: Author
3/26/2019 | 10:06:02 AM
The future is now
Fascinating attack from the targeted nature of the effort. This underscores that adversaries are going to try to subvert our processes and to persist in areas where we have limited visibility. Think of the opportunities there may be in GPUs or any other specialized hardware. This underscores the need for visibility on both the endpoint and on the network.
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-19
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1 and 11.5 is vulnerable to an escalation of privilege when an authenticated local attacker with special permissions executes specially crafted Db2 commands. IBM X-Force ID: 175212.
PUBLISHED: 2020-02-19
IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 162886.
PUBLISHED: 2020-02-19
IBM Jazz Foundation 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, and could allow an authenticated user to obtain sensitive information that could be used in further attacks against the system. IBM X-Force ID: 163654.
PUBLISHED: 2020-02-19
IBM Security Secret Server 10.7 processes patches, image backups and other updates without sufficiently verifying the origin and integrity of the code which could result in an attacker executing malicious code. IBM X-Force ID: 170046.
PUBLISHED: 2020-02-19
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow an unauthenticated user to send specially crafted packets to cause a denial of service from excessive memory usage.