Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:10 PM
Connect Directly

Attackers Compromise ASUS Software Update Servers to Distribute Malware

ShadowHammer campaign latest to highlight dangers of supply chain attacks.

Taiwanese computer maker ASUS may have inadvertently distributed malware to over 1 million users of its systems worldwide after attackers compromised software update servers at the company last year, Kaspersky Lab said in a report Monday.

Available telemetry shows the attackers planted the malware, disguised as legitimate software, on servers that ASUS uses to automatically push out software and firmware updates to users of its systems. The poisoned updates were hard to spot and block because they were digitally signed using legitimate ASUS certificates, Kaspersky Lab said.

The attacks happened between June and November 2018 and impacted ASUS customers that had enabled the ASUS Live Update utility on their systems. The utility is preinstalled on most ASUS computers and is used to automatically update applications, software drivers, firmware, and other components.

Though the rogue updates were likely installed on a large number of ASUS systems, the attackers themselves appear to have been interested in only a select few, based on a list of unique MAC addresses hard-coded into the malware, Kaspersky Lab said. "For now the real targets of this attack, surgically selected by 600-plus MAC addresses, remain unknown," says Costin Raiu, director of Kaspersky Lab's Global Research and Analysis Team. "We continue to investigate this attack and hopefully will be able to answer this question soon."

ASUS did not respond to a request for comment via its general media inquiry email address.

The attacks, which Kaspersky Lab has dubbed Operation ShadowHammer, is not the first time threat actors have attempted to distribute malware tools by embedding them into legitimate software products and updates.

In 2017 a threat group managed to install a multistage data-stealer into a version of Avast's CCleaner software that hundreds of thousands of users later downloaded to their systems. Then, as now, the malware impacted a large number of people, though one of the main goals of the campaign was to steal sensitive data from a handful of targeted technology companies, including Cisco, Microsoft, Google, Sony, and HTC.

In another incident, a Chinese threat group quietly embedded a backdoor Trojan, dubbed ShadowPad, into a server management software product from NetSarang Computer that was used by many large organizations.

Supply Chain Attack Challenges
"Catching supply chain attacks is extremely difficult [and is] possibly one of the biggest problems in IT security at the moment," Raiu says. Kaspersky has been working on new technologies for spotting such attacks based on code anomalies, code similarity, and traffic checking. "One of these technologies allowed us to catch the ShadowHammer attacker, as well as several attacks that we suspect are related," he says.

According to Kaspersky Lab, its investigation suggests that the group behind the attacks on ASUS systems is Barium, a threat actor that Microsoft recently identified as being responsible for embedding ShadowPad in NetSarang's software. Barium is also believed to be behind several attacks on developers of gaming applications, Kaspersky Lab said, pointing to a report from ESET.

One aspect of the ShadowHammer attacks that remains unclear is how exactly the attackers obtained the unique MAC addresses of the intended victims. "Although we do not know for sure, we believe these may have been obtained through previous supply chain attacks, such as ShadowPad and CCleaner," Raiu notes.

"Barium poses a very large threat to enterprise organizations," says Tom Hegel, security researcher at AT&T Cybersecurity’s Alien Labs. The group is associated with "Winnti," a larger umbrella group tied to numerous previous cyber intelligence operations against big organizations, he notes.

Barium's typical tactic is to attack organizations with a large distribution of users and then using those organizations to pursue targets aligned with their long-term interests, he says. The attacks usually involve the use of malware signed with stolen code signing certificates, Hegel notes. "This adversary is able to conduct large scale attacks to go after a small few individuals, which provides context into their sophistication and strong capability to pursue a mission," Hegel says.

Mark Orlando, CTO of cyber protection solutions at Raytheon Intelligence, Information and Services, says the presence of MAC addresses indicates the wide-ranging ShadowHammer attack was launched for the purpose of targeting a relatively small number of very specific devices.

Detecting ShadowHammer-like attacks can be extremely challenging for organizations, he says. Even those taking the extra precaution of comparing new software update files to the "official" update using hash values wouldn't have uncovered anything suspicious since the attackers replaced legitimate updates on the server with their own, Orlando notes.

Also, in this particular instance, the malware is designed to sit dormant if the victim machine's hardware address doesn't match with the MAC number of one of the 600 intended targets. Only defenders that know what to look for in advance have much of a chance to detect and stop such attacks, Orlando says.

"The best protection against this threat is a skilled defender who can quickly assess the malicious files or review available reporting and hunt for matching behaviors," he notes. Monitoring for suspicious network traffic to domain lookalike sites might also help detect second-stage downloads of additional malicious code.

"Overall, organizations must update their threat models to include signed updates from trusted sources, and avoid excluding those updates from security monitoring and other detection mechanisms," Orlando says.

Related Content:




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Author
3/26/2019 | 10:06:02 AM
The future is now
Fascinating attack from the targeted nature of the effort. This underscores that adversaries are going to try to subvert our processes and to persist in areas where we have limited visibility. Think of the opportunities there may be in GPUs or any other specialized hardware. This underscores the need for visibility on both the endpoint and on the network.
User Rank: Author
3/26/2019 | 6:43:35 PM
Certificates Not Revoked
Perhaps the most appalling aspect of this story is ASUS has still not revoked the certificates that attackers used to sign their malware.

Two possibilities:
  1. Attackers compromised these certificates; they have their private keys.
  2. Attackers did not compromise the private keys, instead only gainning sufficient access to cause ASUS signing infrastructure to sign whatever binary blob they requested.

In both cases, certificate revocation is absolutely essential and should have been done immediately. Even if the attackers didn't compromise the private keys, revoking the certs would prevent users from installing the signed malware, including malware signed by those keys that may have escaped detection thus far.
User Rank: Strategist
4/18/2019 | 2:19:52 AM
Millions within seconds
This is one of the many reasons why I am skeptical each time I see my computer prompting me to install updates. I am not 100% certain if they are to upgrade my security or increase its risks entirely. Attacking through updates is definitely a highly devious method which can easily hit millions within a short timeframe.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.