Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

ShadowHammer Dangers Include Update Avoidance

More fallout from the compromise of Asus's automated software update.

When a platform is attacked, there are well-practiced tools and strategies for response. When servers that provide software and firmware updates get hit as in the recent ShadowHammer attack that hit Asus and its customers, remediation can be much more of a challenge technologically and behaviorally.

The ShadowHammer attackers used a trusted supplier — which itself was using trusted certificates for authentication — to target a relatively small number of end users. But the impact of the attack may be felt far beyond the targeted systems as customers around the world lose confidence in the software, firmware, updates, and patches provided by Asus.

Researchers at Skylight Cyber last week published a list of the roughly 600 MAC addresses targeted in the breach. Kaspersky Lab earlier had published a tool in which a specific MAC could be compared against a hidden table of addresses to see whether it was targeted in the attack.

Kaspersky’s investigation identified 600 MAC addresses — a unique identifier assigned to each networked device — hard-coded into ASUS' backdoored update utility. "This indicates that the wide-reaching attack was launched for the purpose of targeting a relatively small number of very specific devices," says Mark Orlando, CTO of Cyber Protection Solutions at Raytheon.

The small number of devices targeted in ShadowHammer is not a factor unique to the attack. "A common thread among many of these supply chain attacks is that, despite having access to a trove of compromised systems at their disposal, attackers have only targeted a smaller subset of those systems," says Satnam Narang, senior research engineer at Tenable.

In a security environment that often brings the requirement for rapid software and firmware updates to deal with zero-day or rapidly evolving threats, a breach in trust may be the most damaging of ShadowHammer's effects. "This can result in end-user skepticism about applying software updates, which often contain critical security updates that, if left unpatched, could be exploited," Narang says.

"We plainly see the need for validation of trusted-vendor channels in addition to digital signatures — which, in this case, appears to have further concealed the malicious activity by providing a false sense of integrity — not just for software and platform updates, but any 'trusted' vendor network which has access into our environment," says Colin Little, senior threat analyst at Centripetal Networks.. 

That doesn't mean channels like update servers should be given network carte blanche. "Organizations should take a hard look at supply chain security, and specifically software update security, in light of this report," Orlando says.

Because compromised updates can be digitally signed and will likely get past signature-based protection, "the best defenses are a shift towards proactive analysis, e.g. threat hunting, and tougher scrutiny of third-party software," he says.

Related Content:

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DavidHamilton
50%
50%
DavidHamilton,
User Rank: Apprentice
4/16/2019 | 4:13:37 AM
Clear your name
It is always a chain reaction when you engage a third party to do the job for you. End users only see you at the front so the blame will be pushed to you even if you weren't the one handling the security component at the back. Nobody would know it wasn't you until you release a press release explaining what was going on and clearing your name in the process.
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19719
PUBLISHED: 2019-12-11
Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page.
CVE-2019-19720
PUBLISHED: 2019-12-11
Yabasic 2.86.1 has a heap-based buffer overflow in the yylex() function in flex.c via a crafted BASIC source file.
CVE-2019-19707
PUBLISHED: 2019-12-11
On Moxa EDS-G508E, EDS-G512E, and EDS-G516E devices (with firmware through 6.0), denial of service can occur via PROFINET DCE-RPC endpoint discovery packets.
CVE-2019-19708
PUBLISHED: 2019-12-11
The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute.
CVE-2019-19709
PUBLISHED: 2019-12-11
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.