Hackers compromised a server for ASUS’s live software update tool then used the breach to push a backdoor into potentially over a million computers in what Kaspersky Lab’ founder described today as “one of the biggest supply-chain incidents ever”.
Dubbing the breach “ShadowHammer”, Kaspersky Lab threat researchers say despite the breadth of the campaign between June and November 2019, the ASUS backdoor was meant to “surgically target” a limited number of users identified by network adapter MAC addresses.
The as-yet unknown threat actor modified the ASUS Live Update Utility, signed with a legitimate certificate, added a back door to the utility, and then distributed it to unwitting users through ASUS’s official channel. Kaspersky analysis shows Russian users were most affected, followed by German users. This may be skewed by distribution of Kaspersky Lab software used to identify the breach, it added.
Kaspersky Lab: Smells Like Barium
The Russian cybersecurity company linked the attack to complaints made by Microsoft in 2017 against a group dubbed “Barium” that targeted “high-value computer networks of individual users and entities located in Virginia and the Eastern District of Virginia,” as well a campaign that saw a still-unknown threat group insert backdoors into a game’s build environment; the latter campaign identifed by both Kaspersky and ESET.
“To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list” Kaspersky Lab said today.
“We believe this to be a very sophisticated supply chain attack, which matches or even surpasses the Shadowpad and the CCleaner incidents in complexity and techniques. The reason that it stayed undetected for so long is partly due to the fact that the trojanized updaters were signed with legitimate certificates (eg: “ASUSTeK Computer Inc.”). The malicious updaters were hosted on the official liveupdate01s.asus[.]com and liveupdate01.asus[.]com ASUS update servers.”
Here's something interesting: the backdoor in ASUS Update Setup.exe is _again_ located in the CRT, just like the CCleaner case and recent games with a backdoor. This time in _crtExitProcess. #ShadowHammerpic.twitter.com/k0nP0fC7ds
Vitaly Kamluk, Asia-Pacific director of Kaspersky Lab’s Global Research and Analysis Team told Motherboard‘s Kim Zetter that ASUS denied to Kaspersky that its server was compromised and that the malware came from its network, after being contacted in January, but noted that the download path for the malware samples Kaspersky collected leads directly back to the ASUS server. While Kaspersky says it met with ASUS to raise the issue, the company has been unresponsive since and “continued to use one of the compromised certificates to sign its own files for at least a month after Kaspersky notified the company of the problem, though it has since stopped.”
Kamluk said ASUS has yet to invalidate the two compromised certificates, which means the attackers or anyone else with access to the un-expired certificate could still sign malicious files with it, and machines would view those files as legitimate ASUS files.
Kevin Bocek, VP Security Strategy and Threat Intelligence at machine identity protection provider, Venafi, said in an emailed comment: “Code signing certificates are used to establish which updates and machines should be trusted, and they are in the applications that power cars, laptops, planes and more.”
“Nearly every operating system is dependent on code signing, and we will see many more certificates in the near future due to the rise of mobile apps, DevOps and IoT devices. However, cyber criminals see code signing certificates as a valuable target due to their extreme power. With a code signing certificate, attackers can make their malware seem trustworthy and evade threat protection systems.”
He added: “Unfortunately, in many organisations the protection of code signing processes falls mostly to developers who are not prepared to defend these assets. In fact, most security teams aren’t even aware if their developers are using code signing or who may have access to the code signing process.”
“It’s imperative for organisations to know what code-signing certificates they have in use and where, especially as it’s likely we’ll see similar attacks in the future.”
Which region did the threat stem from? PwC’s threat intel lead had a few thoughts…
It's kinda weird when the only other instances you can find of a modified crypto function from a passive backdoor targeting Taiwan exist in an app by the software arm of one of China's largest companies.
Kaspersky Labs said: “Based on our statistics, over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time. We are not able to calculate the total count of affected users based only on our data; however, we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide”.
The attackers have since switched to other targets, Kaspersky said.
Important note to those who rushed when reading #ShadowHammer story: current ASUS updates are fine, according to our knowledge. Attackers seemed to cease activity in November 2018 and switched to other targets. Which ones? #TheSAS2019 will tell in just 2 weeks. </ShamelessTeaser>