Attacks/Breaches

3/25/2019
04:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Attackers Compromise ASUS Software Update Servers to Distribute Malware

ShadowHammer campaign latest to highlight dangers of supply chain attacks.

Taiwanese computer maker ASUS may have inadvertently distributed malware to over 1 million users of its systems worldwide after attackers compromised software update servers at the company last year, Kaspersky Lab said in a report Monday.

Available telemetry shows the attackers planted the malware, disguised as legitimate software, on servers that ASUS uses to automatically push out software and firmware updates to users of its systems. The poisoned updates were hard to spot and block because they were digitally signed using legitimate ASUS certificates, Kaspersky Lab said.

The attacks happened between June and November 2018 and impacted ASUS customers that had enabled the ASUS Live Update utility on their systems. The utility is preinstalled on most ASUS computers and is used to automatically update applications, software drivers, firmware, and other components.

Though the rogue updates were likely installed on a large number of ASUS systems, the attackers themselves appear to have been interested in only a select few, based on a list of unique MAC addresses hard-coded into the malware, Kaspersky Lab said. "For now the real targets of this attack, surgically selected by 600-plus MAC addresses, remain unknown," says Costin Raiu, director of Kaspersky Lab's Global Research and Analysis Team. "We continue to investigate this attack and hopefully will be able to answer this question soon."

ASUS did not respond to a request for comment via its general media inquiry email address.

The attacks, which Kaspersky Lab has dubbed Operation ShadowHammer, is not the first time threat actors have attempted to distribute malware tools by embedding them into legitimate software products and updates.

In 2017 a threat group managed to install a multistage data-stealer into a version of Avast's CCleaner software that hundreds of thousands of users later downloaded to their systems. Then, as now, the malware impacted a large number of people, though one of the main goals of the campaign was to steal sensitive data from a handful of targeted technology companies, including Cisco, Microsoft, Google, Sony, and HTC.

In another incident, a Chinese threat group quietly embedded a backdoor Trojan, dubbed ShadowPad, into a server management software product from NetSarang Computer that was used by many large organizations.

Supply Chain Attack Challenges
"Catching supply chain attacks is extremely difficult [and is] possibly one of the biggest problems in IT security at the moment," Raiu says. Kaspersky has been working on new technologies for spotting such attacks based on code anomalies, code similarity, and traffic checking. "One of these technologies allowed us to catch the ShadowHammer attacker, as well as several attacks that we suspect are related," he says.

According to Kaspersky Lab, its investigation suggests that the group behind the attacks on ASUS systems is Barium, a threat actor that Microsoft recently identified as being responsible for embedding ShadowPad in NetSarang's software. Barium is also believed to be behind several attacks on developers of gaming applications, Kaspersky Lab said, pointing to a report from ESET.

One aspect of the ShadowHammer attacks that remains unclear is how exactly the attackers obtained the unique MAC addresses of the intended victims. "Although we do not know for sure, we believe these may have been obtained through previous supply chain attacks, such as ShadowPad and CCleaner," Raiu notes.

"Barium poses a very large threat to enterprise organizations," says Tom Hegel, security researcher at AT&T Cybersecurity’s Alien Labs. The group is associated with "Winnti," a larger umbrella group tied to numerous previous cyber intelligence operations against big organizations, he notes.

Barium's typical tactic is to attack organizations with a large distribution of users and then using those organizations to pursue targets aligned with their long-term interests, he says. The attacks usually involve the use of malware signed with stolen code signing certificates, Hegel notes. "This adversary is able to conduct large scale attacks to go after a small few individuals, which provides context into their sophistication and strong capability to pursue a mission," Hegel says.

Mark Orlando, CTO of cyber protection solutions at Raytheon Intelligence, Information and Services, says the presence of MAC addresses indicates the wide-ranging ShadowHammer attack was launched for the purpose of targeting a relatively small number of very specific devices.

Detecting ShadowHammer-like attacks can be extremely challenging for organizations, he says. Even those taking the extra precaution of comparing new software update files to the "official" update using hash values wouldn't have uncovered anything suspicious since the attackers replaced legitimate updates on the server with their own, Orlando notes.

Also, in this particular instance, the malware is designed to sit dormant if the victim machine's hardware address doesn't match with the MAC number of one of the 600 intended targets. Only defenders that know what to look for in advance have much of a chance to detect and stop such attacks, Orlando says.

"The best protection against this threat is a skilled defender who can quickly assess the malicious files or review available reporting and hunt for matching behaviors," he notes. Monitoring for suspicious network traffic to domain lookalike sites might also help detect second-stage downloads of additional malicious code.

"Overall, organizations must update their threat models to include signed updates from trusted sources, and avoid excluding those updates from security monitoring and other detection mechanisms," Orlando says.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
markgrogan
50%
50%
markgrogan,
User Rank: Apprentice
4/18/2019 | 2:19:52 AM
Millions within seconds
This is one of the many reasons why I am skeptical each time I see my computer prompting me to install updates. I am not 100% certain if they are to upgrade my security or increase its risks entirely. Attacking through updates is definitely a highly devious method which can easily hit millions within a short timeframe.
PaulMakowski
50%
50%
PaulMakowski,
User Rank: Author
3/26/2019 | 6:43:35 PM
Certificates Not Revoked
Perhaps the most appalling aspect of this story is ASUS has still not revoked the certificates that attackers used to sign their malware.

Two possibilities:
  1. Attackers compromised these certificates; they have their private keys.
  2. Attackers did not compromise the private keys, instead only gainning sufficient access to cause ASUS signing infrastructure to sign whatever binary blob they requested.

In both cases, certificate revocation is absolutely essential and should have been done immediately. Even if the attackers didn't compromise the private keys, revoking the certs would prevent users from installing the signed malware, including malware signed by those keys that may have escaped detection thus far.
mashd
50%
50%
mashd,
User Rank: Author
3/26/2019 | 10:06:02 AM
The future is now
Fascinating attack from the targeted nature of the effort. This underscores that adversaries are going to try to subvert our processes and to persist in areas where we have limited visibility. Think of the opportunities there may be in GPUs or any other specialized hardware. This underscores the need for visibility on both the endpoint and on the network.
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11378
PUBLISHED: 2019-04-20
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
CVE-2019-11372
PUBLISHED: 2019-04-20
An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11373
PUBLISHED: 2019-04-20
An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11374
PUBLISHED: 2019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
CVE-2019-11375
PUBLISHED: 2019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.