Digital criminals modified the ASUS Live Update Utility to deliver a backdoor to approximately one million people.
According to a blog post published on Securelist, Kaspersky Lab first detected the supply chain attack named “Operation ShadowHammer” on 19 January. Bad actors staged this campaign between June 2018 and November 2018 against the ASUS Live Update Utility, software which comes pre-installed on all ASUS machines. This tool enables ASUS computers to automatically receive updates for BIOS, UEFI and other applications from the manufacturer.
Kaspersky Lab counted 57,000 users of its security software who installed the backdoored version of the ASUS Live Update Utility distributed in this campaign. The Russian security firm couldn’t arrive at a total number of users affected by the attack using its numbers alone. Using what it saw, however, it postulated that Operation ShadowHammer infected more than a million users.
Following its discovery, the security company notified ASUS about the attack campaign on 31 January. The computer manufacturer responded by acknowledging the events of Operation ShadowHammer on 26 March—a day after Kaspersky Lab’s report came out. As quoted in the company’s statement:
A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group. ASUS customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed.
ASUS also explained that it’s implemented several security measures to prevent similar incidents from happening again as well as issued a fix in version 3.6.8 of the Live Update software. This updated version is available for download here.
Looking back at its research, Kaspersky Lab figures that the campaign was so hard to detect because the trojanized updaters came with signed legitimate certificates from ASUS. These code-signing certificates are important for companies in that they help identify which updates and machines should be trusted. Unfortunately, it’s this very same functionality that makes code-signing certificates important targets for digital attackers.
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, knows this preference among digital criminals all too well:
Hackers continue to exploit the power of machine identities every day. Like Stuxnet, attackers steal or take over code-signing certificates to make their malware trusted. Everything from Telsa cars to Boeing airplanes to your laptop use code signing to establish which apps, drivers and updates are trusted. This is the extreme power that hackers want to be completely trusted and it an even allow them to evade threat protection systems.
The problem, Bocek explains, is that the protection of code-signing processes commonly falls to developers who are not prepared to defend against attacks. At the same time, most security teams may not even know their developers are using code signing. This lack of visibility is concerning, as code-signing certificates are likely to grow exponentially over the next few years amid the rise of mobile apps, DevOps and IoT.
Given these risks, organizations need to invest in a solution that can help them inventory their encryption assets and monitor them for signs of abuse.
How well protected are your code-signing and other digital certificates?