1 million ASUS computers targeted by hackers through malicious ASUS Live Update Utility software
The Russian cybersecurity firm Kaspersky Labs in a blog post disclosed that they detected a new advanced persistent threat (APT) campaign that compromised system updates to install a malicious backdoor on ASUS laptops and desktops of over 1 million users in what is known as a supply chain attack.
Kaspersky Lab has described the ASUS hack as a “one of the biggest supply-chain attacks ever.”
Apparently, the hackers behind the APT operation dubbed ‘ShadowHammer’ modified the ASUS Live Update Utility – a pre-installed utility in most new ASUS computers – which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops. The hackers injected a backdoor in the ASUS Live Update Utility between June and November last year, which was discovered by Kaspersky researchers in January 2019.
Kaspersky Labs estimate that the backdoored version of ASUS Live Update was downloaded and installed by more than 57,000 Kaspersky users, but it was distributed to around 1 million people.
Asus Live Updater was used in a big supply chain attack we dubbed Operation #ShadowHammer. We estimate this may have affected over 1 million computer users between June and Nov 2018. https://t.co/jTij3NwpSs
— Costin Raiu (@craiu) March 25, 2019
“The trojanized utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time. The criminals even made sure the file size of the malicious utility stayed the same as that of the original one,” Kaspersky Labs said in the blog post.
“Each backdoor code contained a table of hardcoded MAC addresses – the unique identifier of network adapters used to connect a computer to a network. Once running on a victim’s device, the backdoor verified its MAC address against this table. If the MAC address matched one of the entries, the malware downloaded the next stage of malicious code. Otherwise, the infiltrated updater did not show any network activity, which is why it remained undiscovered for such a long time. In total, security experts were able to identify more than 600 MAC addresses. These were targeted by over 230 unique backdoored samples with different shellcodes.”
The researchers found that “If the MAC address matched one of the entries, the malware downloaded the next stage of malicious code. Otherwise, the infiltrated updater did not show any network activity.”
A search for similar malware by Kaspersky researchers found that another three vendors based in Asia too were infected with the same backdoor software.
Vitaly Kamluk, Director of Global Research and Analysis Team for APAC at Kaspersky Lab, said: “The selected vendors are extremely attractive targets for APT groups that might want to take advantage of their vast customer base. It is not yet very clear what the ultimate goal of the attackers was and we are still researching who was behind the attack. However, techniques used to achieve unauthorized code execution, as well as other discovered artefacts suggest that ShadowHammer is probably related to the BARIUM APT, which was previously linked to the ShadowPad and CCleaner incidents, among others. This new campaign is yet another example of how sophisticated and dangerous a smart supply chain attack can be nowadays.”
Kaspersky contacted ASUS on January 31 to inform them about the supply chain attack targeting the ASUS Live Update utility, and its investigation is ongoing. They also informed the other three unnamed vendors about the attacks.
Kaspersky Lab will be presenting full findings on Operation ShadowHammer at Security Analyst Summit 2019 scheduled to be held in Singapore from April 9 to April 11.