Skip to main content
banner image
venafi logo

Criminals Modified ASUS Live Update Utility to Deliver Backdoor to 1M People

Criminals Modified ASUS Live Update Utility to Deliver Backdoor to 1M People

ASUS Live Update Backdoor Criminals
March 26, 2019 | David Bisson

Digital criminals modified the ASUS Live Update Utility to deliver a backdoor to approximately one million people.

According to a blog post published on Securelist, Kaspersky Lab first detected the supply chain attack named “Operation ShadowHammer” on 19 January. Bad actors staged this campaign between June 2018 and November 2018 against the ASUS Live Update Utility, software which comes pre-installed on all ASUS machines. This tool enables ASUS computers to automatically receive updates for BIOS, UEFI and other applications from the manufacturer.

Kaspersky Lab counted 57,000 users of its security software who installed the backdoored version of the ASUS Live Update Utility distributed in this campaign. The Russian security firm couldn’t arrive at a total number of users affected by the attack using its numbers alone. Using what it saw, however, it postulated that Operation ShadowHammer infected more than a million users.

Following its discovery, the security company notified ASUS about the attack campaign on 31 January. The computer manufacturer responded by acknowledging the events of Operation ShadowHammer on 26 March—a day after Kaspersky Lab’s report came out. As quoted in the company’s statement:

A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group. ASUS customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed.

ASUS also explained that it’s implemented several security measures to prevent similar incidents from happening again as well as issued a fix in version 3.6.8 of the Live Update software. This updated version is available for download here.

Looking back at its research, Kaspersky Lab figures that the campaign was so hard to detect because the trojanized updaters came with signed legitimate certificates from ASUS. These code-signing certificates are important for companies in that they help identify which updates and machines should be trusted. Unfortunately, it’s this very same functionality that makes code-signing certificates important targets for digital attackers.


Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, knows this preference among digital criminals all too well:

Hackers continue to exploit the power of machine identities every day. Like Stuxnet, attackers steal or take over code-signing certificates to make their malware trusted. Everything from Telsa cars to Boeing airplanes to your laptop use code signing to establish which apps, drivers and updates are trusted. This is the extreme power that hackers want to be completely trusted and it an even allow them to evade threat protection systems.

The problem, Bocek explains, is that the protection of code-signing processes commonly falls to developers who are not prepared to defend against attacks. At the same time, most security teams may not even know their developers are using code signing. This lack of visibility is concerning, as code-signing certificates are likely to grow exponentially over the next few years amid the rise of mobile apps, DevOps and IoT.

Given these risks, organizations need to invest in a solution that can help them inventory their encryption assets and monitor them for signs of abuse.

How well protected are your code-signing and other digital certificates?


Related posts

Like this blog? We think you will love this.
Featured Blog

EARN IT Act Is Back and So Is Debate Over End-To-End Encryption

The Eliminating Abusive and Rampant Neglect of Interactive T

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more