Asus users hit in Operation ShadowHammer attack

March 26, 2019 | 10:40

Tags: #advanced-persistent-threat #apt #asus-live-update-utility #insecurity #malware #operation-shadowhammer #security #trojan #updates

Companies: #asus #kaspersky

Security specialist Kaspersky has detailed a supply chain attack dubbed Operation ShadowHammer, in which Asus' Live Update Utility was used for a period last year to distribute malware to an estimated million-plus users globally.

Revealed ahead of schedule by Vice Motherboard and confirmed by Kaspersky, Operation ShadowHammer - an investigation into which is still ongoing, the company confirms - is the name given to a serious breach of Asus' Live Update Utility. Pre-installed on the majority of Asus' Windows-based machines, Asus Live Update Utility is designed to make it easy for the user to download and install driver and firmware updates - and, apparently, malware.

Detected by the security firm in January 2019, the attack is believed to have seen a number of users' systems infected via the Asus Live Update Utility between June and November 2018. The exact number isn't yet known, but the company's estimates - based on detection on 57,000 systems with Kaspersky security software installed - peg the number at 'over a million users worldwide'.

Those users, Kaspersky explains, received updates containing a Trojan horse program giving the attackers access to their systems - programs which, frustratingly, were signed by a legitimate Asus security certificate and hosted on the genuine Asus update servers, making them indistinguishable from the usual, benign updates.

In short, it's a serious breach. Users with up-to-date anti-malware software should find that the malicious update is detected and cleaned, though Kaspersky has also made a free utility to determine whether your system was one of a handful 'surgically selected' for a precision attack - an estimated 600 systems specifically targeted by the creator or creators of the malware using their unique network card media access control (MAC) addresses.

Asus has yet to issue a statement on the breach, and while the malicious software has been cleaned from the update servers has not yet revoked the breached security certificates.

UPDATE 1530:

Asus has issued an official statement on the breach. 'Asus Live Update is a proprietary tool supplied with Asus notebook computers to ensure that the system always benefits from the latest drivers and firmware from Asus. A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group,' the company confirms. 'Asus customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed.

'Asus has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future.'

The company has also released a diagnostic tool to ensure the vulnerable software has been correctly updated or removed.

Discuss this in the forums
YouTube logo
MSI MPG Velox 100R Chassis Review

October 14 2021 | 15:04