Report: Supply Chain Attack ShadowHammer Leveraged ASUS Live Update
Subject: General Tech | March 25, 2019 - 01:47 PM | Jeremy Hellstrom
Tagged: ShadowHammer, security, Kaspersky Labs, asus
Update, 3/26/19: As reported by TechRadar this morning ASUS has responded to the issue and implemented a fix to the latest version of Live Update (version 3.6.8) which provides "an enhanced end-to-end encryption mechanism" for the software. ASUS states that they "have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future”. The company has also released a software tool to see if your system is affected, available directly from ASUS here (ZIP file).
Further, Bloomberg reports today that ASUS has disputed the numbers from the Kaspersky report, stating the attacks impacted only several hundred devices - and not "over a million" as had been estimated by Kaspersky. An ASUS spokesperson also said that "the company had since helped customers fix the problem, patched the vulnerability and updated their servers," in a statement quoted in the Bloomberg report.
The original news post follows.
Today, unfortunately, we have a perfect example of a supply chain attack posted at Slashdot and a very good reason for anyone using ASUS products to do a full scan on their systems as soon as they can. It seems that attackers compromised the ASUS update server, forged two different ASUS digital certificates and pushed out malware to about a half million customers when their machines ran an auto-update. Kaspersky Labs published details on their findings this afternoon as well, cautioning that "the investigation is still in progress and full results and technical paper will be published during SAS 2019 conference in Singapore".
What makes this even more interesting is that the infection was looking for 600 specific MAC addresses, when it found one it would immediately reach out to another server to install additional payload. This does not mean those without one of the listed MAC addresses is safe, the infection could still be there and modified to install additional nastiness on all infected machines. According to the information from Motherboard, Kaspersky first detected this in January and have reached out to ASUS several times, as did Motherboard who "has not heard back from the company".
"The researchers estimate half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems. The malware searched for targeted systems through their unique MAC addresses."
Here is some more Tech News from around the web:
- Nintendo planning two new Switch models @ Ars Technica
- Netflix wants to choose its own adventure where Bandersnatch trademark case magically vanishes @ The Register
- Apple is reportedly working on App Store games by subscription @ The Inquirer
- We fought through the crowds to try Oculus's new VR goggles so you don't have to bother (and frankly, you shouldn't) @ The Register
- Microsoft's Chromium version of the Edge browser has leaked all over the internet @ The Inquirer
- Improved Estimates of the Distance To the Large Magellanic Cloud @ Slashdot
- 2019 Samsung Forum - QLED 8K + 4K TVs, iTunes & More @ TechARP