Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:10 PM
Connect Directly

Attackers Compromise ASUS Software Update Servers to Distribute Malware

ShadowHammer campaign latest to highlight dangers of supply chain attacks.

Taiwanese computer maker ASUS may have inadvertently distributed malware to over 1 million users of its systems worldwide after attackers compromised software update servers at the company last year, Kaspersky Lab said in a report Monday.

Available telemetry shows the attackers planted the malware, disguised as legitimate software, on servers that ASUS uses to automatically push out software and firmware updates to users of its systems. The poisoned updates were hard to spot and block because they were digitally signed using legitimate ASUS certificates, Kaspersky Lab said.

The attacks happened between June and November 2018 and impacted ASUS customers that had enabled the ASUS Live Update utility on their systems. The utility is preinstalled on most ASUS computers and is used to automatically update applications, software drivers, firmware, and other components.

Though the rogue updates were likely installed on a large number of ASUS systems, the attackers themselves appear to have been interested in only a select few, based on a list of unique MAC addresses hard-coded into the malware, Kaspersky Lab said. "For now the real targets of this attack, surgically selected by 600-plus MAC addresses, remain unknown," says Costin Raiu, director of Kaspersky Lab's Global Research and Analysis Team. "We continue to investigate this attack and hopefully will be able to answer this question soon."

ASUS did not respond to a request for comment via its general media inquiry email address.

The attacks, which Kaspersky Lab has dubbed Operation ShadowHammer, is not the first time threat actors have attempted to distribute malware tools by embedding them into legitimate software products and updates.

In 2017 a threat group managed to install a multistage data-stealer into a version of Avast's CCleaner software that hundreds of thousands of users later downloaded to their systems. Then, as now, the malware impacted a large number of people, though one of the main goals of the campaign was to steal sensitive data from a handful of targeted technology companies, including Cisco, Microsoft, Google, Sony, and HTC.

In another incident, a Chinese threat group quietly embedded a backdoor Trojan, dubbed ShadowPad, into a server management software product from NetSarang Computer that was used by many large organizations.

Supply Chain Attack Challenges
"Catching supply chain attacks is extremely difficult [and is] possibly one of the biggest problems in IT security at the moment," Raiu says. Kaspersky has been working on new technologies for spotting such attacks based on code anomalies, code similarity, and traffic checking. "One of these technologies allowed us to catch the ShadowHammer attacker, as well as several attacks that we suspect are related," he says.

According to Kaspersky Lab, its investigation suggests that the group behind the attacks on ASUS systems is Barium, a threat actor that Microsoft recently identified as being responsible for embedding ShadowPad in NetSarang's software. Barium is also believed to be behind several attacks on developers of gaming applications, Kaspersky Lab said, pointing to a report from ESET.

One aspect of the ShadowHammer attacks that remains unclear is how exactly the attackers obtained the unique MAC addresses of the intended victims. "Although we do not know for sure, we believe these may have been obtained through previous supply chain attacks, such as ShadowPad and CCleaner," Raiu notes.

"Barium poses a very large threat to enterprise organizations," says Tom Hegel, security researcher at AT&T Cybersecurity’s Alien Labs. The group is associated with "Winnti," a larger umbrella group tied to numerous previous cyber intelligence operations against big organizations, he notes.

Barium's typical tactic is to attack organizations with a large distribution of users and then using those organizations to pursue targets aligned with their long-term interests, he says. The attacks usually involve the use of malware signed with stolen code signing certificates, Hegel notes. "This adversary is able to conduct large scale attacks to go after a small few individuals, which provides context into their sophistication and strong capability to pursue a mission," Hegel says.

Mark Orlando, CTO of cyber protection solutions at Raytheon Intelligence, Information and Services, says the presence of MAC addresses indicates the wide-ranging ShadowHammer attack was launched for the purpose of targeting a relatively small number of very specific devices.

Detecting ShadowHammer-like attacks can be extremely challenging for organizations, he says. Even those taking the extra precaution of comparing new software update files to the "official" update using hash values wouldn't have uncovered anything suspicious since the attackers replaced legitimate updates on the server with their own, Orlando notes.

Also, in this particular instance, the malware is designed to sit dormant if the victim machine's hardware address doesn't match with the MAC number of one of the 600 intended targets. Only defenders that know what to look for in advance have much of a chance to detect and stop such attacks, Orlando says.

"The best protection against this threat is a skilled defender who can quickly assess the malicious files or review available reporting and hunt for matching behaviors," he notes. Monitoring for suspicious network traffic to domain lookalike sites might also help detect second-stage downloads of additional malicious code.

"Overall, organizations must update their threat models to include signed updates from trusted sources, and avoid excluding those updates from security monitoring and other detection mechanisms," Orlando says.

Related Content:




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
4/18/2019 | 2:19:52 AM
Millions within seconds
This is one of the many reasons why I am skeptical each time I see my computer prompting me to install updates. I am not 100% certain if they are to upgrade my security or increase its risks entirely. Attacking through updates is definitely a highly devious method which can easily hit millions within a short timeframe.
User Rank: Author
3/26/2019 | 6:43:35 PM
Certificates Not Revoked
Perhaps the most appalling aspect of this story is ASUS has still not revoked the certificates that attackers used to sign their malware.

Two possibilities:
  1. Attackers compromised these certificates; they have their private keys.
  2. Attackers did not compromise the private keys, instead only gainning sufficient access to cause ASUS signing infrastructure to sign whatever binary blob they requested.

In both cases, certificate revocation is absolutely essential and should have been done immediately. Even if the attackers didn't compromise the private keys, revoking the certs would prevent users from installing the signed malware, including malware signed by those keys that may have escaped detection thus far.
User Rank: Author
3/26/2019 | 10:06:02 AM
The future is now
Fascinating attack from the targeted nature of the effort. This underscores that adversaries are going to try to subvert our processes and to persist in areas where we have limited visibility. Think of the opportunities there may be in GPUs or any other specialized hardware. This underscores the need for visibility on both the endpoint and on the network.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
A Insecure Temporary File vulnerability in s390-tools of SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-SP2 allows local attackers to prevent VM live migrations This issue affects: SUSE Linux Enterprise Server 12-SP5 s390-tools versions prior to 2.1.0-18.29.1. SUSE Linux Enterp...
PUBLISHED: 2021-04-14
A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code. QNAP have already fixed this vulnerability in the following versions: Surveillance Station (an...
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.50.3, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.53.0, a double free can occur in the Vec::from_iter function if freeing the element panics.
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.19.0, there is a synchronization problem in the MutexGuard object. MutexGuards can be used across threads with any types, allowing for memory safety issues through race conditions.