Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security

Hackers Hijacked ASUS Software Updates To Install Backdoors on Thousands of Computers (vice.com) 114

ASUS is believed to have pushed malware to hundreds of thousands of customers through its trusted automatic software update tool after attackers compromised the company's server and used it to push the malware to machines. From a report: Researchers at cybersecurity firm Kaspersky Lab say that ASUS, one of the world's largest computer makers, was used to unwittingly to install a malicious backdoor on thousands of its customers' computers last year after attackers compromised a server for the company's live software update tool. The malicious file was signed with legitimate ASUS digital certificates to make it appear to be an authentic software update from the company, Kaspersky Lab says. ASUS, a multi-billion dollar computer hardware company based in Taiwan that manufactures desktop computers, laptops, mobile phones, smart home systems, and other electronics, was pushing the backdoor to customers for at least five months last year before it was discovered, according to new research from the Moscow-based security firm.

The researchers estimate half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems. The malware searched for targeted systems through their unique MAC addresses. Once on a system, if it found one of these targeted addresses, the malware reached out to a command-and-control server the attackers operated, which then installed additional malware on those machines. Kaspersky Lab said it uncovered the attack in January after adding a new supply-chain detection technology to its scanning tool to catch anomalous code fragments hidden in legitimate code or catch code that is hijacking normal operations on a machine. The company plans to release a full technical paper and presentation about the ASUS attack, which it has dubbed ShadowHammer, next month at its Security Analyst Summit in Singapore.

This discussion has been archived. No new comments can be posted.

Hackers Hijacked ASUS Software Updates To Install Backdoors on Thousands of Computers

Comments Filter:
  • Step 1 (Score:5, Funny)

    by Kiaser Zohsay ( 20134 ) on Monday March 25, 2019 @09:17AM (#58330454)

    Give ti a cool name:

    The company plans to release a full technical paper and presentation about the ASUS attack, which it has dubbed ShadowHammer, next month at its Security Analyst Summit in Singapore.

    Check.

  • Why don't they hire people who know what they are doing?
  • by ctilsie242 ( 4841247 ) on Monday March 25, 2019 @09:41AM (#58330572)

    Now this is something scary. Any company that takes security seriously uses a HSM to ensure that at worst, bad guys have to compromise the HSM specifically to generate signatures.

    At the minimum, and this is a MS recommended practice, the cert signing computers should be air-gapped to require a physical presence to sign something. The fact that this isn't done for a critical hardware company is extremely worrisome.

    For something as critical as updates, it is actually shocking that a HSM isn't used. These are not expensive... YubiKey sells a HSM for $650.

    • Comment removed based on user account deletion
    • by gweihir ( 88907 )

      YubiKey does not sell HSMs. If you go with a cheap real HSM, you are paying at least $50'000.

      • by chrish ( 4714 )

        Actually, you're off by an order of magnitude; you can buy an HSM for $5000-ish.

        [Citation: I work with HSMs at the office.]

        • by gweihir ( 88907 )

          Have the snake-oil vendors gotten into the HSM market after all? Care to share a reference to a product?

          • by chrish ( 4714 )

            I don't think I can, sorry; nobody seems to publish their pricing, presumably because they want to harass you with sales goons. We're also under NDA.

            I can tell you that one vendor, who didn't give us special pricing on hardware, sold us an HSM for around $5k US. This is a PCI-e card model, not an appliance, so it's probably much cheaper... there's no intrusion detection or anything like you'd get with a 1U rack mount or something like that.

  • by Anonymous Coward
    WTF, it's 2019. Doesn't everyone know by now, that you never, ever want to get your software from the same people you get your hardware from? It sucks that with phones, most of us still have little choice. But for desktops?! Preloaded software is so 1980s.
  • by the_skywise ( 189793 ) on Monday March 25, 2019 @09:46AM (#58330594)
    What files should I check for? How can I remove it myself? All this hue and outcry about hundreds of thousands of installed backdoors but Kapersky won't say what files to look for?
    • by Merk42 ( 1906718 ) on Monday March 25, 2019 @09:52AM (#58330636)

      What files should I check for? How can I remove it myself? All this hue and outcry about hundreds of thousands of installed backdoors but Kapersky won't say what files to look for?

      https://shadowhammer.kaspersky... [kaspersky.com]

    • by thomst ( 1640045 )

      the_skywise inquired:

      What files should I check for? How can I remove it myself? All this hue and outcry about hundreds of thousands of installed backdoors but Kapersky won't say what files to look for?

      Kaspersky has made available a downloadable tool [kas.pr] to determine whether the MAC address of your machine is on the list of addresses this malware targets:

      https://kas.pr/shadowhammer

      What you have to understand about Advanced Persistent Threat malware in general is that it is all designed to be exceedingly hard to detect, and as difficult as possible to remove, so there aren't any files you can "check for," nor is there a real possibility that you can remove it yourself.

      Although Kaspersky ha

      • by Anonymous Coward

        https://kas.pr/shadowhammer

        A zip file from "kas" in Puerto Rico. Yeah, I'm totally going to run whatever EXE is inside there. No worries, "thomst" on Slashdot says it's probably 100% legit.

  • by Anonymous Coward

    I thought Kaspersky changed it's base of operations to Switzerland because of the recent problems with the US Government?

  • My primary device is an asus laptop I bought for school a few years ago, over the course of the past week or so my home network has been losing internet (no connection available across multiple devices, but the wifi is live). I've been going back and forth with my ISP about it, first replacing the modem my next step being to replace the router. Has anyone else with an asus device noticed issues like this? Could this be the issue? Ive even tried loading centos and tails just to get the same the "no internet
    • by Anonymous Coward

      My primary device is an asus laptop I bought for school a few years ago, over the course of the past week or so my home network has been losing internet (no connection available across multiple devices, but the wifi is live). I've been going back and forth with my ISP about it, first replacing the modem my next step being to replace the router.
      Has anyone else with an asus device noticed issues like this? Could this be the issue? Ive even tried loading centos and tails just to get the same the "no internet connection available"

      I don't currently use asus devices, but it doesn't make sense for this to be your issue. Installing a backdoor on your Windows OS would not affect a TAILS bootup. In your case, I'd suspect the wifi adapter itself, first. Do you have a USB wifi you can plug in for testing? Or ethernet cable? When the internet connection goes out, can you still access your router?

      • by Anonymous Coward

        My primary device is an asus laptop I bought for school a few years ago, over the course of the past week or so my home network has been losing internet (no connection available across multiple devices, but the wifi is live). I've been going back and forth with my ISP about it, first replacing the modem my next step being to replace the router.
        Has anyone else with an asus device noticed issues like this? Could this be the issue? Ive even tried loading centos and tails just to get the same the "no internet connection available"

        Whoops, missed the "across multiple devices" part -- which would point more towards an issue with either router or modem...

    • Most likely this has nothing to do with network connectivity issues. The malware took very great care to be invisible unless activated, and the server where the second payload should have come from has been down since at least November 2018. In other words, anything happening to you for the last 2 weeks is most likely not due to this.

  • And, as usual, nothing much will happen. The vast majority just pay lip service to security, but don't really put their money where their mouth is. Why? Because it is not worth their while. It is far easier, and better for their bottom line, to talk big about security, than actually taking the necessary security steps. Because when the inevitable security "disaster" occurs, nothing much happens. And that is the case because it is not in the interest of any of the major players for anything much to happen. W

  • I forked over all the money about a year ago for an ASUS ROG Zephyrus gaming laptop, mainly because it was the first to market using the new nVidia standards that let a 1080 series video card run in a slimmer laptop while still getting adequate cooling.

    Well -- I woke up one morning to find my keyboard bulging upwards around the S, D and F keys.

    The battery in it blew up like a balloon, to the point it's deforming the keyboard on top of it. A quick search on the net reveals a bunch of complaints about the ex

    • Yeah, when they only did motherboards they had that great reputation. I've seen at least 4 out of 4 of their laptops over the last few years that were pretty bad on overheating and reliability. I wouldn't buy another ASUS laptop for gaming.

  • High level hacker (Score:4, Insightful)

    by 140Mandak262Jamuna ( 970587 ) on Monday March 25, 2019 @11:54AM (#58331392) Journal
    After getting through ASUS server compromise, they just targeted 600 computers with hard coded MAC tables?

    It could be a high level state actor looking for high value targets.

    Or this is the test exploit verifying the ability for field testing. Subsequently they might have installed other back doors, and erased those operations from the update process. They forgot to clean up the original test code.

    Given the level of persistence these things can have, it would be really impossible to clean up the infected ASUS machines.

    • by AHuxley ( 892839 )
      Someone really wanted a longer term way in and to stay in with lower risk.
      The chart on Operation ShadowHammer https://securelist.com/operati... [securelist.com] lists nations by (% by country) as
      Russia, Germany, France, Italy, the USA, Spain, Poland, the UK ...
      The page also has a MAC addresses online tool and an email if a MAC is detected.

He who has but four and spends five has no need for a wallet.

Working...