Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers

Discussion in 'malware problems & news' started by ronjor, Mar 25, 2019.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,072
    Location:
    Texas
    by Kim Zetter Mar 25 2019
     
  2. guest

    guest Guest

    Operation ShadowHammer
    March 25, 2019
    https://securelist.com/operation-shadowhammer/89992/
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    This is exactly what I keep saying, it's never a bad idea to install specialized tools, just in case AV may fail to detect these kind of advanced attacks. What if it was used to run ransomware or to steal data via some (banking) trojan?
     
  4. guest

    guest Guest

    Hack Brief: How to Check Your Computer for Asus Update Malware
    March 25, 2019
    https://www.wired.com/story/asus-software-update-hack/
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,072
    Location:
    Texas
    Asus implements fix for malware attack March 26, 2019
     
  6. guest

    guest Guest

    It is an update, specialized tools won't do much, it has a certificate and will probably run at System level.
    Even with efficient tools, since it is a trusted source, people will disable/lower their security setting to let it run unhampered.
    Not saying, Average Joe doesn't use specialized tools.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Per Kaspersky, this was a targeted attack with only 600 devices affected. The Kaspersky tool will inform you if you are one of them. Also Asus is not the only concern with the vulnerability:
    https://www.kaspersky.com/blog/shadow-hammer-teaser/26149/
     
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,072
    Location:
    Texas
    ASUS Releases Security Update for Live Update Software
     
  9. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    The tool is unnecessary in the first place, it is just bloatware. You don't need an updater for your mobo.
     
  10. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,440
    Location:
    U.S.A.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I see things differently. The thing is, this backdoor can probably download and execute all kinds of malware from disk, so let's say ransomware or some trojan is executed, then a specialized tool like anti-keylogger or anti-ransomware can still stop this attack.
     
  12. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    If a backdoor like this would spew out ransomware or keyloggers to attack the masses, it would be detected pretty fast. That would be a waste of time and effort on the part of the hackers. They spent months to get access, and got shut down quickly, after making a few dollars.
    That's why hacks like these are used for espionage on carefully chosen high-value targets. Big money.
     
  13. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,440
    Location:
    U.S.A.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Correct, but the discussion is purely about how these attacks work on a technical level. If malware is executed via this backdoor, then behavior blocking tools should be able to block them. Would be pretty cool to simulate such a test.
     
  15. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    I would like to see such a test, too.
    But if I remember right with the CCleaner backdoor, it was pretty hard to detect it, even with HIPS.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    To clarify, behavior blockers probably won't detect the hidden backdoor itself, even AV's completely failed. But BB's should be able to detect activities from malware that's downloaded by the backdoor.

    Of course, in theory, the backdoor could have worked completely in-memory (no files are dropped to disk), that would be even harder to detect. Makes you think about if it's a good idea to auto-trust "certified" apps, like some HIPS do. Probably not.
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The app was validly signed and the download occurred from legit Asus servers:
    This was a "supply chain" attack. It's not the first and it won't be the last by any means:
    https://securelist.com/operation-shadowhammer/89992/

    Ultimately, the integrity of the downloaded update content lies with the vendor hosting the update servers.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    In this regard and also from the above posted securelist.com article, Asus failed:
     
  19. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Just out of curiosity, why is it called a supply chain attack, rather than update poisoning? I thought supply chain means that a compromised piece of hardware or software was supplied to the manufacturer, who then incorporated it in his product.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    That is correct. In all these attacks, the primary vendor has contracted out his software maintenance activities to a third party. The breeches have occurred under the control of the third party; either at his premises' or at the primary vendors premises'.

    Asus is a classic example in that they are a computer hardware manufacturer. All their firmware and limited supporting software; in this case the firmware update utility, would be sub-contracted out to a concern that specializes in that kind of development. For most if not all Taiwanese computer hardware manufacturers, that is mainland China.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Here's a detailed reference to BARIUM's "modus operandi" by Microsoft: https://www.microsoft.com/security/...industrial-attacks-with-windows-defender-atp/ . If you don't want to "wade through" all the WD ATP propaganda and ruin your appetite for dinner, here's a short recap:
    https://www.pinkerton.com/user_area/content_media/raw/CyberSecurity-Newsletter_6-18.pdf

    -EDIT- Eset's detailed analysis on the Winnti backdoor: https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/
     
    Last edited: Mar 27, 2019
  22. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,072
    Location:
    Texas
  23. guest

    guest Guest

    Inside the ASUS Supply chain attack
    March 28, 2019
    http://blog.morphisec.com/asus-supply-chain-attack
     
  24. guest

    guest Guest

    Researchers publish list of MAC addresses targeted in ASUS hack
    Most of the targeted MAC addresses are used by ASUStek, Intel, and AzureWave devices
    March 29, 2019

    https://www.zdnet.com/article/researchers-publish-list-of-mac-addresses-targeted-in-asus-hack/
    Another analysis (F-Secure):
    A Hammer Lurking In The Shadows
    March 29, 2019
    https://labsblog.f-secure.com/2019/03/29/a-hammer-lurking-in-the-shadows/
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Some of these articles were a bit too complex for me. It's not clear to me if this backdoor had the ability to run malware completely in-memory. But if so, it would be quite advanced. Somebody should really simulate such an attack to see which behavior blocking tools and EDR systems could spot such an attack.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.