Hackers Hijacked ASUS Software Updates To Install Backdoors on Thousands of Computers (vice.com) 114
ASUS is believed to have pushed malware to hundreds of thousands of customers through its trusted automatic software update tool after attackers compromised the company's server and used it to push the malware to machines. From a report: Researchers at cybersecurity firm Kaspersky Lab say that ASUS, one of the world's largest computer makers, was used to unwittingly to install a malicious backdoor on thousands of its customers' computers last year after attackers compromised a server for the company's live software update tool. The malicious file was signed with legitimate ASUS digital certificates to make it appear to be an authentic software update from the company, Kaspersky Lab says. ASUS, a multi-billion dollar computer hardware company based in Taiwan that manufactures desktop computers, laptops, mobile phones, smart home systems, and other electronics, was pushing the backdoor to customers for at least five months last year before it was discovered, according to new research from the Moscow-based security firm.
The researchers estimate half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems. The malware searched for targeted systems through their unique MAC addresses. Once on a system, if it found one of these targeted addresses, the malware reached out to a command-and-control server the attackers operated, which then installed additional malware on those machines. Kaspersky Lab said it uncovered the attack in January after adding a new supply-chain detection technology to its scanning tool to catch anomalous code fragments hidden in legitimate code or catch code that is hijacking normal operations on a machine. The company plans to release a full technical paper and presentation about the ASUS attack, which it has dubbed ShadowHammer, next month at its Security Analyst Summit in Singapore.
The researchers estimate half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems. The malware searched for targeted systems through their unique MAC addresses. Once on a system, if it found one of these targeted addresses, the malware reached out to a command-and-control server the attackers operated, which then installed additional malware on those machines. Kaspersky Lab said it uncovered the attack in January after adding a new supply-chain detection technology to its scanning tool to catch anomalous code fragments hidden in legitimate code or catch code that is hijacking normal operations on a machine. The company plans to release a full technical paper and presentation about the ASUS attack, which it has dubbed ShadowHammer, next month at its Security Analyst Summit in Singapore.
Re: (Score:2, Interesting)
Yes, but we designed RAD tools that convinced even the most illiterate dumbass that he can write code. Everyone can copy/paste from stackexchange and that's what doubles as "coding" today.
I call it "total job security". Yes, I'm in IT security.
Re: (Score:3)
I am also in IT security and I cannot say I disagree. Although as part of my job I do security coding at full consulting rates. That is about 3 times what our customers pay for regular coders and it is eminently worth it for them. I mean, "senior web developers" with > 5 years of experience that do not even know what a HTTP request looks like? These people are worth worse than nothing. They would be very expensive if they were free. It is utterly pathetic. And this is from a Fortune-500 company that crit
Re: (Score:2)
Yes. I know. I currently have the (questionable) pleasure of being in charge of IT security for such a company. What really ticks me off is when people get detailed information on what security flaws exist and they "fix" it in a way that betrays that they don't even remotely try to understand the underlying issue. Look, I don't even expect a web developer anymore to know what a HSTS header is. But that they can't even be assed to at least take a look at what it is when the pentesting team pretty much rubs t
Re: (Score:2)
The max-age of zero is nice! "Zero-insight coding" is what I call that. I have seen such things as well.
I do strongly recommend against the code monkeys from India though. They will make things even worse. All the competent people from India are not cheaper than western devs. The others are really, really bad. The made the all-time worst implementation of a feature (that still worked, somewhat) that I have seen: A piece of code that was used to remove duplicated from an SQL-query result. They used a manuall
Re: There are no "Software Engineers". (Score:2, Offtopic)
Re: There are no "Software Engineers". (Score:1)
Re: (Score:2)
There are software engineers. There are people that are well trained as engineers in the real of producing software and have been selected for talent and insight. There are also gifted amateurs that are almost as good. But these people are a small, small minority in the coder population.
It is time to require that engineering degree and have the self-taught people come in and prove they can do as well. (Little known fact: You can get almost any academic degree without going to university by proving equivalen
Re: (Score:2)
Re: (Score:2)
Actually, you need laws. Otherwise,all liability will land on the developers while they get no authority to withhold sign-off until they're actually satisfied.
At the same time, many of the security issues actually do exist in more conventional engineering fields. How many bridges do you suppose are resistant to multiple attempts to bring it down every day? If someone did get a key support to fail, by cutting it or blasting it, do you really think the designer would bear responsibility?
Bank vaults are't grad
Re: (Score:2)
"So quit my job and hold out until an employer is willing to sign a contract that no employer of software developers has signed before? And they'll do it because it's more expensive and gives them less control because they love those things?
SUUUUUUUUUre.
Re: (Score:2)
Who said anything about entitlement. With responsibility must come authority or the responsible party is merely a scapegoat.
What's so entitled about not accepting the role of scapegoat?
Re: (Score:2)
Only if they expect me to bear responsibility as a PE would for a bridge (for example).
If they want to keep the authority, they get to keep the responsibility.
Re: (Score:2)
The law is the only reason PE's have final authority to sign off now and it's the only reason firms must hire them in spite of the expense.
You DO realize that the only reason the civil courts have any authority is those same men with guns, don't you?
Re: (Score:2)
Sorry, no. It's turtles all the way down.
Consider, your rent-a-court Says you're right (SURPRISE!) and I should pay you $100. I say no. rent-a-court does what?
Step 1 (Score:5, Funny)
Give ti a cool name:
Check.
Why? (Score:2)
Re:Why? (Score:5, Insightful)
Answer: Those people are expensive.
Question: Why doesn't ASUS build their computers so the standard Microsoft Updates would fix most of the problems, and not deal with their own update tool.
Answer: Because using certified parts is expensive too.
So use cheap parts + cheap labor and sell their systems at market price = profit.
Re: (Score:3, Interesting)
And because every company wants branding and analytics, and are more focused on marketing than security.
I assure you, the marketing department had more input on this platform than the technical people.
Based on the rest of consumer product security we see these days, any security was added as an aftert
Re: (Score:1)
Question: Why doesn't ASUS build their computers so the standard Microsoft Updates would fix most of the problems, and not deal with their own update tool.
Answer: Microsoft Updates create their own set of problems. Here are a few from the past six months...
https://tech.slashdot.org/story/19/01/31/1921211/many-windows-10-users-unable-to-connect-to-windows-update-service
https://tech.slashdot.org/story/19/01/10/1640232/windows-7-users-who-installed-january-update-report-network-issues-some-say-the-update-has-
Stories show Microsoft's VERY poor management. (Score:2)
Many Windows 10 Users Unable To Connect To Windows Update Service. [slashdot.org]
Windows 7 Users Who Installed January Update Report Network Issues; Some Say the Update Has Also Incorrectly Flagged Their OS License as 'Not Genuine'. [slashdot.org]
Windows 10 Will Reserve 7GB of Your Computer's Storage in its Next Major Release So That Big Updates Don't Fail. [slashdot.org]
Latest Windows 10 Update Breaks Windows Media Player, Win32 Apps In General [slashdot.org]
Microsoft Resumes Rollout of Windows 10 Version 1809, Promises Qua [slashdot.org]
Re: (Score:3)
If we update through MS Update, how do we get the telemetry from your computer?
Re: (Score:2)
Answer: Those people are expensive.
Question: Why doesn't ASUS build their computers so the standard Microsoft Updates would fix most of the problems, and not deal with their own update tool. Answer: Because using certified parts is expensive too.
So use cheap parts + cheap labor and sell their systems at market price = profit.
That post is a microcosm of why I never buy Asus -> Mod this guy up.
Re: (Score:1)
What h/w supplier does this not apply to?
Re: (Score:2)
I am positive that you can and will provide us with a company that has a better security record where we should get our hardware instead from now on.
Right?
Re: (Score:2)
Because "managers" cannot do simple math. They do not understand that people who are cheaper per hour but produce a lot of problems are much more expensive than people who are more expensive per hour but produce far less problems. They also have no clue that writing software is anything but easy.
Re: (Score:1)
Complexity to user.
Complexity to support user.
ASUS doesn't use a HSM for their signing? (Score:5, Insightful)
Now this is something scary. Any company that takes security seriously uses a HSM to ensure that at worst, bad guys have to compromise the HSM specifically to generate signatures.
At the minimum, and this is a MS recommended practice, the cert signing computers should be air-gapped to require a physical presence to sign something. The fact that this isn't done for a critical hardware company is extremely worrisome.
For something as critical as updates, it is actually shocking that a HSM isn't used. These are not expensive... YubiKey sells a HSM for $650.
Re: (Score:3)
Re: (Score:1)
Hardware Security Module
Re: (Score:2)
YubiKey does not sell HSMs. If you go with a cheap real HSM, you are paying at least $50'000.
Re: (Score:2)
Actually, you're off by an order of magnitude; you can buy an HSM for $5000-ish.
[Citation: I work with HSMs at the office.]
Re: (Score:2)
Have the snake-oil vendors gotten into the HSM market after all? Care to share a reference to a product?
Re: (Score:2)
I don't think I can, sorry; nobody seems to publish their pricing, presumably because they want to harass you with sales goons. We're also under NDA.
I can tell you that one vendor, who didn't give us special pricing on hardware, sold us an HSM for around $5k US. This is a PCI-e card model, not an appliance, so it's probably much cheaper... there's no intrusion detection or anything like you'd get with a 1U rack mount or something like that.
Don't get software from hardware vendors (Score:2, Interesting)
So how do I tell if I've been infected? (Score:5, Interesting)
Re:So how do I tell if I've been infected? (Score:5, Informative)
What files should I check for? How can I remove it myself? All this hue and outcry about hundreds of thousands of installed backdoors but Kapersky won't say what files to look for?
https://shadowhammer.kaspersky... [kaspersky.com]
Re:So how do I tell if I've been infected? (Score:5, Informative)
Also interesting that this headline says "thousands", the article says hundreds of thousands and the Kapersky link says more than a million.
Comment removed (Score:4, Informative)
Re: (Score:3)
the_skywise inquired:
What files should I check for? How can I remove it myself? All this hue and outcry about hundreds of thousands of installed backdoors but Kapersky won't say what files to look for?
Kaspersky has made available a downloadable tool [kas.pr] to determine whether the MAC address of your machine is on the list of addresses this malware targets:
https://kas.pr/shadowhammer
What you have to understand about Advanced Persistent Threat malware in general is that it is all designed to be exceedingly hard to detect, and as difficult as possible to remove, so there aren't any files you can "check for," nor is there a real possibility that you can remove it yourself.
Although Kaspersky ha
Re: (Score:1)
https://kas.pr/shadowhammer
A zip file from "kas" in Puerto Rico. Yeah, I'm totally going to run whatever EXE is inside there. No worries, "thomst" on Slashdot says it's probably 100% legit.
Moscow-based? (Score:1)
I thought Kaspersky changed it's base of operations to Switzerland because of the recent problems with the US Government?
Has anyone else's home networks been knocked out? (Score:2)
Re: (Score:1)
My primary device is an asus laptop I bought for school a few years ago, over the course of the past week or so my home network has been losing internet (no connection available across multiple devices, but the wifi is live). I've been going back and forth with my ISP about it, first replacing the modem my next step being to replace the router.
Has anyone else with an asus device noticed issues like this? Could this be the issue? Ive even tried loading centos and tails just to get the same the "no internet connection available"
I don't currently use asus devices, but it doesn't make sense for this to be your issue. Installing a backdoor on your Windows OS would not affect a TAILS bootup. In your case, I'd suspect the wifi adapter itself, first. Do you have a USB wifi you can plug in for testing? Or ethernet cable? When the internet connection goes out, can you still access your router?
Re: (Score:1)
My primary device is an asus laptop I bought for school a few years ago, over the course of the past week or so my home network has been losing internet (no connection available across multiple devices, but the wifi is live). I've been going back and forth with my ISP about it, first replacing the modem my next step being to replace the router.
Has anyone else with an asus device noticed issues like this? Could this be the issue? Ive even tried loading centos and tails just to get the same the "no internet connection available"
Whoops, missed the "across multiple devices" part -- which would point more towards an issue with either router or modem...
Re: (Score:2)
Most likely this has nothing to do with network connectivity issues. The malware took very great care to be invisible unless activated, and the server where the second payload should have come from has been down since at least November 2018. In other words, anything happening to you for the last 2 weeks is most likely not due to this.
Not a big a deal (Score:2)
And, as usual, nothing much will happen. The vast majority just pay lip service to security, but don't really put their money where their mouth is. Why? Because it is not worth their while. It is far easier, and better for their bottom line, to talk big about security, than actually taking the necessary security steps. Because when the inevitable security "disaster" occurs, nothing much happens. And that is the case because it is not in the interest of any of the major players for anything much to happen. W
Further evidence ASUS is all about the $'s. (Score:2)
I forked over all the money about a year ago for an ASUS ROG Zephyrus gaming laptop, mainly because it was the first to market using the new nVidia standards that let a 1080 series video card run in a slimmer laptop while still getting adequate cooling.
Well -- I woke up one morning to find my keyboard bulging upwards around the S, D and F keys.
The battery in it blew up like a balloon, to the point it's deforming the keyboard on top of it. A quick search on the net reveals a bunch of complaints about the ex
Re: (Score:3)
Yeah, when they only did motherboards they had that great reputation. I've seen at least 4 out of 4 of their laptops over the last few years that were pretty bad on overheating and reliability. I wouldn't buy another ASUS laptop for gaming.
re: snake oil (Score:2)
Actually, not quite .... The whole innovative thing with the ROG Zephyrus was the idea the laptop would be slimmer, like a typical laptop, when you carry it around with the lid closed But when you open its lid, the bottom cover also lifts up in back, creating a bunch of extra airflow in and out of the case.
It's kind of a smart concept, IMO. A lot of people were buying various laptop stands to tilt their laptops forward at an angle while using them anyway... This just does the same thing without needing
Re: (Score:3)
Sounds like this is installing software through the windows asus software update program. Not to say that they couldn't have signed some bios files that were then installed, but if you aren't running the update tool in windows probably good.
Some EFI stuff can actually update independently now, but would have to boot into EFI config and update firmware there pretty sure.
High level hacker (Score:4, Insightful)
It could be a high level state actor looking for high value targets.
Or this is the test exploit verifying the ability for field testing. Subsequently they might have installed other back doors, and erased those operations from the update process. They forgot to clean up the original test code.
Given the level of persistence these things can have, it would be really impossible to clean up the infected ASUS machines.
Re: (Score:2)
The chart on Operation ShadowHammer https://securelist.com/operati... [securelist.com] lists nations by (% by country) as
Russia, Germany, France, Italy, the USA, Spain, Poland, the UK
The page also has a MAC addresses online tool and an email if a MAC is detected.
Re: (Score:1)
Also has an email if MAC addresses are detected.