Kaspersky Lab pointed out that the ASUS Live Update server was cracked and weaponized by hackers, and the victims may have hundreds of thousands of scales.
The matter started last year and was discovered in January this year, but Asus currently does not seem to inform the user about the information. According to researchers at Kaspersky Lab, hackers installed a back door on the user’s computer through ASUS’s official server and used a legal ASUS digital visa to make it look like a real software update. This attack may have been going on for more than half a year before being discovered.
Vitaly Kamluk, Asia Pacific Director of Kaspersky Lab’s Global Research and Analysis team, said that when researchers contacted Asus earlier this year, the company refused to admit that its servers were compromised and said the malware was from other networks. However, the download path of the malicious software samples collected by Kaspersky is clearly directed to the ASUS server. The malware is pretending to be setup.exe, allegedly an update to the update tool itself, and the visa is valid.
Supply chain security
Kaspersky stressed that this highlights the issue of security from the supply chain, although this is not the first sight, there have been spy tools for Microsoft updates to trick users into downloading malicious software. But not so much, the hacker was redirecting the victim’s computer to the fake update server. There are many similar cases. For example, CCleaner has also been found to distribute malicious software to users through software updates, as well as the notorious notPetya attack.
However, Kaspersky director Costin Raiu pointed out that the hijacking of the ASUS server is more beautiful, more hidden and difficult to detect in similar security threats, and it is basically difficult to be discovered by users as long as it is not activated, but even in Silence on non-target systems, this attack path also means that hackers have backdoors on each infected ASUS system, and the scope is quite large. At the beginning of this year, nearly 57,000 users were infected when Kaspersky was first discovered. The current sample is only from Kaspersky’s own paying customers, and the actual number of victims may be hundreds of thousands.
Hackers are targeted
Interestingly, however, this hacking attack is a phased and well-defined target. It is a surgical-type precision attack that identifies the opponent’s hardware address to determine whether it is the target of the attack before activating the software. This also means that the hacker knows the specific hardware address of the target in advance, rather than randomly selecting it. At present, Kaspersky can only parse out more than 600 hardware address lists from malicious software samples. It is impossible to know the whole picture, and there is no way to know who the second stage victim is.
The attack was named ShadowHammer, and Kaspersky researchers believe that the hacker is the same team as the ShadowPad and CCleaner attacks. ASUS was originally one of the main targets of the CCleaner attack, and speculated to gain access to the ASUS server. It is currently confirmed that hackers use two different ASUS digital visas to sign their malware, one that has expired in mid-2018, but the hacker then switches to the second legal visa. At present, ASUS still has no response to this.
In fact, this is not the first time ASUS has faced the security crisis. As early as 2016, it was accused by the US Federal Trade Commission. Asustek’s Netcom products have many loopholes and may face hacking threats. ASUS is committed to establishing a comprehensive security plan. Draw and conduct a 20-year independent review.
Kaspersky has launched a detection tool for the attack. People can check the MAC address online to determine if they are the target of the attack, and hope that the victim can contact Kaspersky as soon as possible. For technical details, please refer to this page Operation ShadowHammer .