Report: Supply Chain Attack ShadowHammer Leveraged ASUS Live Update

Subject: General Tech | March 25, 2019 - 01:47 PM |
Tagged: ShadowHammer, security, Kaspersky Labs, asus

Update, 3/26/19: As reported by TechRadar this morning ASUS has responded to the issue and implemented a fix to the latest version of Live Update (version 3.6.8) which provides "an enhanced end-to-end encryption mechanism" for the software. ASUS states that they "have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future”. The company has also released a software tool to see if your system is affected, available directly from ASUS here (ZIP file).

Further, Bloomberg reports today that ASUS has disputed the numbers from the Kaspersky report, stating the attacks impacted only several hundred devices - and not "over a million" as had been estimated by Kaspersky. An ASUS spokesperson also said that "the company had since helped customers fix the problem, patched the vulnerability and updated their servers," in a statement quoted in the Bloomberg report.

The original news post follows.


Today, unfortunately, we have a perfect example of a supply chain attack posted at Slashdot and a very good reason for anyone using ASUS products to do a full scan on their systems as soon as they can.  It seems that attackers compromised the ASUS update server, forged two different ASUS digital certificates and pushed out malware to about a half million customers when their machines ran an auto-update. Kaspersky Labs published details on their findings this afternoon as well, cautioning that "the investigation is still in progress and full results and technical paper will be published during SAS 2019 conference in Singapore".

What makes this even more interesting is that the infection was looking for 600 specific MAC addresses, when it found one it would immediately reach out to another server to install additional payload.  This does not mean those without one of the listed MAC addresses is safe, the infection could still be there and modified to install additional nastiness on all infected machines.  According to the information from Motherboard, Kaspersky first detected this in January and have reached out to ASUS several times, as did Motherboard who "has not heard back from the company".

notebook_image.jpg

"The researchers estimate half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems. The malware searched for targeted systems through their unique MAC addresses."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Feel good Friday post; a troll pays a toll

Subject: General Tech | September 1, 2017 - 03:04 PM |
Tagged: Kaspersky Labs, patent troll, kick ass

Kaspersky Labs used a portion of US case law to demand a patent troll fork over money before they would agree to drop the lawsuit Wetro Lan filed against them.  Wetro Lan picked up a patent with a somewhat famous pasts as being used in numerous dubious lawsuits filed by what are politely known as patent trolls.   The patent is a ridiculously vague description of a firewall and trolls have used it in the past to sue companies in the hopes of a payout to prevent the case from going to court.  Not only did Kaspersky go to court to fight; instead of waiting for the amount of money demanded to drop to zero they launched a counter-suit and refused to end the litigation until they received $10,000.  This meant that Wetro Lan had to continue to pay to continue the case and once they realized they were stuck they acquiesced to Kaspersky's demands, after talking them down to $5000.  Check out The Register for more information.

Nelson_Ha-Ha.jpg

"The Russian antivirus vendor said that it collected a $5,000 payment to agree to drop a patent infringement case where it was the defendant, after the litigator agreed they had no hope of winning their claim."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Windows Defender no longer protects you from third party antivirus software

Subject: General Tech | August 10, 2017 - 03:09 PM |
Tagged: microsoft, Kaspersky Labs, windows defender

Microsoft have decided to remove the function in Windows Defender which disabled other antivirus software without notifying the user.  The decision comes after Kaspersky Labs brought an antitrust law suit against Microsoft for disabling products their customers had purchased and expected to work.  The resolution will not be immediate, it will be the Fall Creators Update which brings this change as well as changing the permissions of third party AV messages.  Drop by The Inquirer for more details on the changes to the messaging.

index.png

"Microsoft had poo-pooed the complaint but previously confessed that an update changed the way that Windows 10 deals with AV incompatibilities - by switching them off without warning the user."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Know someone who uses Kaspersky Internet Security that is having trouble today?

Subject: General Tech | March 11, 2013 - 02:27 PM |
Tagged: Kaspersky Labs, patch

It would seem that a single specially malformed IPv6 packet is enough to completely lock up a PC protected by several versions of Kaspersky Internet Security.  There is currently a private patch available for machines suffering from this issue and there will be an official patch pushed out in the very near future.  According to The Register this flaw was originally reported to Kaspersky in January but as they had not released a patch the original discoverer of the flaw has gone public, which was obviously what it took to get them to fix the issue.  If you run into problematic PCs over the next few days you might want to check for Kaspersky Labs software before you really get into troubleshooting.

Kaspersky-Internet-Security.jpg

"After receiving feedback from the researcher, Kaspersky Lab quickly fixed the error. A private patch is currently available on demand and an autopatch will soon be released to fix the problem automatically on every computer protected by Kaspersky Internet Security 2013."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

This new malware goes straight to your RAM, no installation required

Subject: General Tech | March 19, 2012 - 11:58 AM |
Tagged: Virus, Trojan-Spy.Win32.Lurk, ram virus, Kaspersky Labs, javaw.exe, fud

A lovely little electronic beastie was spotted by Kaspersky Labs on Russian ad servers recently which uses a Java exploit (long since patched) to corrupt javaw.exe while it is running on system memory, infecting machines without any installation required whatsoever.  While this sounds quite bad, the fact is that in your memory it can infect running programs but not move out of the memory without triggering an installation process and will not survive a system reboot.  That is why as soon as this malware finds its self on a systems RAM it immediately tries to install the Lurk Trojan, which is when your problems would start and when your anti-virus/anti-malware protection should notice something amiss. 

By its self the new virus poses little direct risk but it represents a new attack vector for drive by infections, which could get into protected space and be able to launch an attack from within the systems memory, a much faster and more intimate way of attacking than coming over the network.  With home systems sporting more that 4GB of RAM, there is a lot more space for this type of virus to work with than there was just a few years ago.  Read on at The Register, if you dare.

ocz_ddr3_platinum.jpg

"The researchers aren’t quite sure how unusual it is, describing it as both “unique” and “very rare”, but no matter how scarce this type of malware is it does sound rather nasty as it “… uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process.” That mode of operation means Windows and MacOS are both affected by the exploit, which is hard for many antivirus programs to spot given it runs within a trusted process."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register