Slashdot Mirror
Hackers Hijacked ASUS Software Updates To Install Backdoors on Thousands of Computers (vice.com)
ASUS is believed to have pushed malware to hundreds of thousands of customers through its trusted automatic software update tool after attackers compromised the company's server and used it to push the malware to machines. From a report: Researchers at cybersecurity firm Kaspersky Lab say that ASUS, one of the world's largest computer makers, was used to unwittingly to install a malicious backdoor on thousands of its customers' computers last year after attackers compromised a server for the company's live software update tool. The malicious file was signed with legitimate ASUS digital certificates to make it appear to be an authentic software update from the company, Kaspersky Lab says. ASUS, a multi-billion dollar computer hardware company based in Taiwan that manufactures desktop computers, laptops, mobile phones, smart home systems, and other electronics, was pushing the backdoor to customers for at least five months last year before it was discovered, according to new research from the Moscow-based security firm.
The researchers estimate half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems. The malware searched for targeted systems through their unique MAC addresses. Once on a system, if it found one of these targeted addresses, the malware reached out to a command-and-control server the attackers operated, which then installed additional malware on those machines. Kaspersky Lab said it uncovered the attack in January after adding a new supply-chain detection technology to its scanning tool to catch anomalous code fragments hidden in legitimate code or catch code that is hijacking normal operations on a machine. The company plans to release a full technical paper and presentation about the ASUS attack, which it has dubbed ShadowHammer, next month at its Security Analyst Summit in Singapore.
The researchers estimate half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems. The malware searched for targeted systems through their unique MAC addresses. Once on a system, if it found one of these targeted addresses, the malware reached out to a command-and-control server the attackers operated, which then installed additional malware on those machines. Kaspersky Lab said it uncovered the attack in January after adding a new supply-chain detection technology to its scanning tool to catch anomalous code fragments hidden in legitimate code or catch code that is hijacking normal operations on a machine. The company plans to release a full technical paper and presentation about the ASUS attack, which it has dubbed ShadowHammer, next month at its Security Analyst Summit in Singapore.
Give ti a cool name:
Check.
I am not your blowing wind, I am the lightning.
Answer: Those people are expensive.
Question: Why doesn't ASUS build their computers so the standard Microsoft Updates would fix most of the problems, and not deal with their own update tool.
Answer: Because using certified parts is expensive too.
So use cheap parts + cheap labor and sell their systems at market price = profit.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Now this is something scary. Any company that takes security seriously uses a HSM to ensure that at worst, bad guys have to compromise the HSM specifically to generate signatures.
At the minimum, and this is a MS recommended practice, the cert signing computers should be air-gapped to require a physical presence to sign something. The fact that this isn't done for a critical hardware company is extremely worrisome.
For something as critical as updates, it is actually shocking that a HSM isn't used. These are not expensive... YubiKey sells a HSM for $650.
And because every company wants branding and analytics, and are more focused on marketing than security.
I assure you, the marketing department had more input on this platform than the technical people.
Based on the rest of consumer product security we see these days, any security was added as an afterthought or by sheer dumb luck.
WTF, it's 2019. Doesn't everyone know by now, that you never, ever want to get your software from the same people you get your hardware from? It sucks that with phones, most of us still have little choice. But for desktops?! Preloaded software is so 1980s.
What files should I check for? How can I remove it myself? All this hue and outcry about hundreds of thousands of installed backdoors but Kapersky won't say what files to look for?
If we update through MS Update, how do we get the telemetry from your computer?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
My primary device is an asus laptop I bought for school a few years ago, over the course of the past week or so my home network has been losing internet (no connection available across multiple devices, but the wifi is live). I've been going back and forth with my ISP about it, first replacing the modem my next step being to replace the router. Has anyone else with an asus device noticed issues like this? Could this be the issue? Ive even tried loading centos and tails just to get the same the "no internet connection available"
Comment removed based on user account deletion
It could be a high level state actor looking for high value targets.
Or this is the test exploit verifying the ability for field testing. Subsequently they might have installed other back doors, and erased those operations from the update process. They forgot to clean up the original test code.
Given the level of persistence these things can have, it would be really impossible to clean up the infected ASUS machines.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I am also in IT security and I cannot say I disagree. Although as part of my job I do security coding at full consulting rates. That is about 3 times what our customers pay for regular coders and it is eminently worth it for them. I mean, "senior web developers" with > 5 years of experience that do not even know what a HTTP request looks like? These people are worth worse than nothing. They would be very expensive if they were free. It is utterly pathetic. And this is from a Fortune-500 company that critically depends on its IT.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Sounds like this is installing software through the windows asus software update program. Not to say that they couldn't have signed some bios files that were then installed, but if you aren't running the update tool in windows probably good.
Some EFI stuff can actually update independently now, but would have to boot into EFI config and update firmware there pretty sure.
Yeah, when they only did motherboards they had that great reputation. I've seen at least 4 out of 4 of their laptops over the last few years that were pretty bad on overheating and reliability. I wouldn't buy another ASUS laptop for gaming.