A million or so Asus personal computers may have downloaded spyware from the computer maker's update servers and installed it, Kaspersky Lab claims.
Someone was able to modify a copy of the Asus Live Update Utility, hosted on the Taiwanese manufacturer's backend systems, and sign it using the company's security certificate, even keeping the file length the same as the legit version, to make everything seem above board. The update utility ships with every machine, and routinely upgrades the motherboard firmware and related software with any available updates from Asus.
When it checked in with Asus's servers for the latest updates, the utility would fetch and install a backdoored version of the Asus Live Update Utility, we're told. The dodgy version was offered between June and November 2018, according to Kaspersky.
That infected build of the utility was designed to spy on roughly 600 machines, identified by their network MAC addresses hardcoded into the software. So, roughly a million Asus-built computers may have been running a trojanized update utility, with a few hundred actively spied on via the backdoor.
The software nasty, discovered by Kaspersky in January this year and dubbed ShadowHammer, because they've all got to have a sexy name these days, was apparently found on 57,000 machines running the Russian security shop's antivirus tools. Extrapolating that figure, there are a million or so computers running this backdoor, it is claimed: Asus is the world's fifth largest computer manufacturer. Kaspersky claims it has found similar exploit code in the firmware of three other, as yet unnamed, vendors.
"We believe this to be a very sophisticated supply chain attack, which matches or even surpasses the Shadowpad and the CCleaner incidents in complexity and techniques," said the Russian bughunters in a preliminary report.
Downloaded CCleaner lately? Oo, awks... it was stuffed with malwareREAD MORE
"The reason that it stayed undetected for so long is partly due to the fact that the trojanized updaters were signed with legitimate certificates (eg: “ASUSTeK Computer Inc.”). The malicious updaters were hosted on the official liveupdate01s.asus[.]com and liveupdate01.asus[.]com ASUS update servers."
Kaspserky said its staff first informed Asus about the mass infection on January 31, and met them two weeks later, according to Motherboard. But since then the manufacturer hasn't seemingly made progress on a fix, and hasn't warned customers. It also did not respond to our request for comment.
Symantec also said its antivirus tools detected the backdoored update utility on 13,000 or more machines.
It goes without saying that you shouldn't be put off installing security updates and patches because of this snafu.
"This is the worst kind of supply chain attack," said Matt Blaze, adjunct computer science prof and crypto-guru, in response to the revelations. "It threatens to poison faith in the integrity of update mechanisms that have become essential for security today. But in spite of this one attack, you are still WAY better off keeping things updated. Really.
"Everything ships with vulnerabilities. They get discovered (and exploited) over time. If you patch, there's a small chance you'll fall prey to a malicious update injected through the vendor. But if you don't patch, there's a close to 100% chance you'll be attacked over time."
If you want to check if you're one of the recipients of malware on the MAC address list, there's an online tool to do just that right here. Kaspersky said its investigation into this supply chain attack is ongoing, and will release a full report into the debacle at its annual security jamboree in Singapore on April 8. ®