Today's news that hackers put backdoors into thousands of Asus computers using the company's own software update platform is a reminder of why supply-chain compromises are one of the scariest digital attacks out there.
Attackers compromised Asus’s Live Update tool to distribute malware to almost 1 million customers last year, according to initial findings researchers at the threat intelligence firm Kaspersky Lab disclosed Monday. The news was first reported by Motherboard. Asus machines accepted the tainted software because the attackers were able to sign it with a real Asus certificate (used to verify the legitimacy and trustworthiness of new code). Though the scope of the attack is broad, the hackers seem to have been seeking out a select 600 computers to target more deeply in a second-stage attack.
Kaspersky calls the attack ShadowHammer, indicating a possible link to ShadowPad malware used in some other major software supply-chain attacks. The hackers took a real Asus update from 2015 and subtly modified it before pushing it out to Asus customers sometime in the second half of 2018. Kaspersky discovered the attack on Asus in January and disclosed it to the company on January 31. Kaspersky says its researchers met with Asus a few times and the company seems to be in the process of investigating the incident, cleaning up its systems, and establishing new defenses.
Asus did not begin notifying its customers about the situation until Kaspersky went public with the findings. "A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group. ASUS customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed," the company wrote in a statement on Tuesday. "ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future."
Lily Hay Newman covers information security, digital privacy, and hacking for WIRED.
Software supply-chain attacks are insidious, because once hackers establish the ability to create platform updates that appear to be legitimate, they can capitalize on the product's distribution base to spread their malware quickly and widely. In the case of the Asus incident, attackers were targeting more than 600 machines in particular. They took advantage of Asus' reach to do a big sweep for as many of them as possible.
"Like any other supply-chain attack, this is very opportunistic," says Costin Raiu, director of Kaspersky's global research and analysis team. "You cast a wide net to try to catch everything and then handpick what you're looking for."
Every digital device has a unique identifier called a MAC address, and the Asus malware was programmed to check the addresses of the devices it infected. For the hundreds of thousands of Asus customers whose devices weren’t on the hackers' hit list, the malware would have no effect; it wasn’t programmed to be able to do anything else. If it was running on a targeted machine, however, it was programmed to phone home to a malicious server and download the second-stage payload to carry out a deeper attack.
For now, Kaspersky says it doesn't have a full picture of what the attackers were doing on the specially targeted machines.
Kaspersky estimates that the malware was distributed to about 1 million machines in total. Most Asus users won’t experience any long-term effects of the attack, but it remains to be seen what exactly the impacts were for people who own any of the 600 targeted machines.
The list of roughly 600 target devices that the malware was looking for mostly includes Asus machines—as you would expect for malware distributed through that manufacturer. But Raiu notes that some of the MAC addresses in the list have prefixes indicating that they are not Asus devices and are made by another manufacturer. It's unclear why these non-Asus MAC addresses were included in the list; perhaps they represent a larger sample of the attackers' total wish list.
Kaspersky has created a downloadable tool and an online portal that you can use to check whether your devices' MAC addresses were on the target list. The researchers hope that this will help them connect with victims of the more targeted attack, so they can find out more about what the hackers were after and what the targeted victims have in common, if anything. On Tuesday, Asus also released a diagnostic tool for its users.
How Bad Is This
Tainted updates in otherwise legitimate software platforms have already wreaked havoc in big incidents like the May 2017 NotPetya outbreak and the June 2017 CCleaner compromise. Kaspersky’s Raiu says that the firm suspects the Asus incident is connected to a series of mostly thwarted 2017 ShadowPad attacks as well as the successful use of ShadowPad in the CCleaner compromise. But the link isn’t definite yet.
Raiu adds the group that may be behind all of these attacks, known as Barium, rewrites tools for every large attack so scanners can’t detect them by looking for its old code signatures. But Kaspersky researchers see similarities in the way the Asus backdoor, the CCleaner backdoor, and other instances of ShadowPad were conceptually designed. They also look for other consistent tells the group uses in its code across different campaigns, though Kaspersky doesn’t reveal details of these indicators. Additionally, the CCleaner attack also cast a wide net in looking for a smaller population of specific targets.
“What is absolutely amazing about these guys is they change the shell code from one attack to the other,” Raiu notes. “The Asus case is different from every other case that we have seen so far.”
The sinister truth that a supply-chain compromise could happen to any company feels a lot more real when one hits a computer maker as big as Asus.
Updated March 26, 2019 10:00am ET to include a public statement from Asus and information about a diagnostic tool it released. The company did not directly respond to WIRED's request for comment.