Taiwanese computer maker ASUS has admitted its Live Update servers were breached by an as-yet unknown adversary and used to push a backdoor onto what Kaspersky Lab says may have been over a million devices.
In a belated response to the revelation, the company pointed late Tuesday to “national-level attack[s] usually initiated by a couple of specific countries” and released a a fix in the latest version of its Live Update software.
Only the version of Live Update used for notebooks was hijacked, it said, downplaying the incident and declining to mention or thank Kaspersky Lab for identifying the sophisticated attack: “Only a very small number of specific user group were found to have been targeted by this attack” the company said.
ASUS said: “We have introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future.”
The company has also created an online security diagnostic tool to check for affected systems, and encouraged users to “run it as a precaution.”
It did not thank Kaspersky Lab for identifying the compromise.
Some users attempting to download that tool were warned by Windows Defender that the update itself was malicious.
— Giuseppe `N3mes1s` (@gN3mes1s) March 26, 2019
The breach was identified by Kaspersky Lab, which dubbed it “ShadowHammer”, Kaspersky Lab threat researchers say despite the breadth of the campaign between June and November 2018, the ASUS backdoor was meant to “surgically target” a limited number of users identified by network adapter MAC addresses.
“We believe this to be a very sophisticated supply chain attack, which matches or even surpasses the Shadowpad and the CCleaner incidents in complexity and techniques. The reason that it stayed undetected for so long is partly due to the fact that the trojanized updaters were signed with legitimate certificates (eg: “ASUSTeK Computer Inc.”). The malicious updaters were hosted on the official liveupdate01s.asus[.]com and liveupdate01.asus[.]com ASUS update servers,” Kaspersky said.
The privately held Russian cybersecurity company is publishing a paper/presenting on the attack at the Security Analyst Summit 2019 in Singapore Training on April 7-8 and has suggested the attackers have pivoted to other targets.