Security firm Kaspersky has released an update on its analysis of the ShadowHammer supply chain attacks, identifying a full list of some 600 targeted devices and two more companies seemingly targeted by the same group.
Kaspersky's initial analysis of the ShadowHammer attacks came late last month when the company discovered the supply chain attack against Asus' Live Update Utility software - exposing an estimated million-plus users globally to the installation of malware. Asus responded quickly with an updated version of the software, though failed to revoke the security certificates which had been breached during the attack and used to sign the malicious updates, along with the release of a diagnostic tool.
As well as being able to install malicious software on any system with Asus Live Update Utility installed, the ShadowHammer attackers targeted specific systems via media access control (MAC) address - unique identifiers burned into Ethernet adapters. A small number of these were quickly identified, but Kaspersky's update has now included details of the full 600-some targeted systems - the majority of which, interestingly, came from Asus itself. Other targeted systems include those manufactured by Intel, AzureWave, Liteon, and Hon Hai Precision Industry (better known as Foxconn).
Less specific targets include MAC addresses for virtual network adapters used by the VMware virtualisation platform and one of Huawei's USB 3G modems - MACs which are shared between all users of said tools, rather than being unique to each user as per physical Ethernet adapters.
The additional research also uncovered related attacks against other companies, where legitimate update systems and certificates were used to sign malicious software: Thai game developer Electronics Extreme Company and its The War Z-based Infestation: Survivor Stores; Zepetto Company and its first-person shooter PointBlank. Neither, however, had the user base of the Asus breach.
March 25 2020 | 14:00