Hack Brief : How to check your computer for Asus Update Malware | US Computer Academy

HACK BRIEF: HOW TO CHECK YOUR COMPUTER FOR ASUS UPDATE MALWARE

TODAY'S NEWS THAT hackers put backdoors into thousands of Asus computers using the company's own software update platform is a reminder of why supply-chain compromises are one of the scariest digital attacks out there.

Attackers compromised Asus’s Live Update tool to distribute malware to almost 1 million customers last year, according to initial findings researchers at the threat intelligence firm Kaspersky Lab disclosed Monday. The news was first reported by Motherboard. Asus machines accepted the tainted software because the attackers were able to sign it with a real Asus certificate (used to verify the legitimacy and trustworthiness of new code). Though the scope of the attack is broad, the hackers seem to have been seeking out a select 600 computers to target more deeply in a second-stage attack.

The Hack
Kaspersky calls the attack ShadowHammer, indicating a possible link to ShadowPad malware used in some other major software supply-chain attacks. The hackers took a real Asus update from 2015 and subtly modified it before pushing it out to Asus customers sometime in the second half of 2018. Kaspersky discovered the attack on Asus in January and disclosed it to the company on January 31. Kaspersky says its researchers met with Asus a few times and the company seems to be in the process of investigating the incident, cleaning up its systems, and establishing new defenses.

Asus did not begin notifying its customers about the situation until Kaspersky went public with the findings. "A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group. ASUS customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed," the company wrote in a statement on Tuesday. "ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future."

LILY HAY NEWMAN COVERS INFORMATION SECURITY, DIGITAL PRIVACY, AND HACKING FOR WIRED.
Software supply-chain attacks are insidious, because once hackers establish the ability to create platform updates that appear to be legitimate, they can capitalize on the product's distribution base to spread their malware quickly and widely. In the case of the Asus incident, attackers were targeting more than 600 machines in particular. They took advantage of Asus' reach to do a big sweep for as many of them as possible.

"Like any other supply-chain attack, this is very opportunistic," says Costin Raiu, director of Kaspersky's global research and analysis team. "You cast a wide net to try to catch everything and then handpick what you're looking for."

Every digital device has a unique identifier called a MAC address, and the Asus malware was programmed to check the addresses of the devices it infected. For the hundreds of thousands of Asus customers whose devices weren’t on the hackers' hit list, the malware would have no effect; it wasn’t programmed to be able to do anything else. If it was running on a targeted machine, however, it was programmed to phone home to a malicious server and download the second-stage payload to carry out a deeper attack.

For now, Kaspersky says it doesn't have a full picture of what the attackers were doing on the specially targeted machines.

Who’s Affected
Kaspersky estimates that the malware was distributed to about 1 million machines in total. Most Asus users won’t experience any long-term effects of the attack, but it remains to be seen what exactly the impacts were for people who own any of the 600 targeted machines.

The list of roughly 600 target devices that the malware was looking for mostly includes Asus machines—as you would expect for malware distributed through that manufacturer. But Raiu notes that some of the MAC addresses in the list have prefixes indicating that they are not Asus devices and are made by another manufacturer. It's unclear why these non-Asus MAC addresses were included in the list; perhaps they represent a larger sample of the attackers' total wish list.

Kaspersky has created a downloadable tool and an online portal that you can use to check whether your devices' MAC addresses were on the target list. The researchers hope that this will help them connect with victims of the more targeted attack, so they can find out more about what the hackers were after and what the targeted victims have in common, if anything. On Tuesday, Asus also released a diagnostic tool for its users.