An estimated one million Asus computers have been infected with malware carried by the company’s own software updates, according to researchersOpens a new window at Kaspersky Lab.
Hackers gained access to the Asus Live Update Utility, which downloads software to the computers, and installed what the researchers called ShadowHammer malware on the devices. They reported that more than 50,000 machines using Kaspersky’s security software were attacked and extrapolated that number to estimate that more than one million Asus computers were infected worldwide.
On some of the machines, the researchers said, the malware may have been used to download other viruses.
The attack is the latest in a string of supply-chain download attacks in which hackers piggybacked on manufacturers’ security updates to deliver malware to computers. This type of attack raises concerns that users who had previously been advised always to trust software updates from manufacturers would stop downloading security updates, leaving their devices vulnerable to attacks.
Asus, a hardware manufacturer based in Taiwan, said in a statement that it implemented a fix of the problem on the Live Update tool, so users can download the latest softwareOpens a new window which will remove the malware. The company said it did not know how many computers were affected but believed it was a “small number of devices.â€
It added that its customer service experts had helped users remove the threat.
The attackers found a way to send the malicious updates by infiltrating the Asus serversOpens a new window and using legitimate software certificates to go undetected. The malware read each device’s MAC address – the unique identifier assigned to every device which is used to connect to a network.
If the MAC address corresponded to a table of entries, the next stage of the malware was downloaded on to the device. Otherwise, no action was taken, which is why the attack lay undetected for such a long time.
Some 600 affected MAC addresses were identified by security experts. The goal of the cyberattack, which took place between June and November last year, is unknown. Kaspersky Lab discovered the attack in January 2019.
The security firm calls supply chain attacks one of the most dangerous and effective ways of infecting devices with malware. Such attacks target specific weaknesses in the vendor’s system.
In 2017, hackers targeted CCleaner, a popular tool that cleans files on computers. The hackers inserted backdoor code into updates for the software, infecting some 2.27 million computers over a period of one month, according to CCleaner owner Avast, itself a security firm.
A few months earlier, hackers exploited another supply-chain vulnerability in the destructive NotPetya attack, which affected hundreds of businesses in Ukraine and others worldwide, including Maersk of Denmark and the drugs company Merck.
The virus piggybacked on an accounting software tool popular in Ukraine known as MeDoc, infecting computers via updates then spreading through corporate networks.
The growth of such supply chain attacks is thought to be a response to improved security systems by software and hardware vendors. Corporate networks have implemented effective firewalls and it is harder to find vulnerabilities in software such as Microsoft Office.
Increased awareness among users makes them less likely to click on suspect email links or give details to unproven sources. Mounting Advanced Persistent Threats – known as APTs, stealth attacks on a computer networks – requires hackers to move up the chain and target manufacturers’ own updates.
Supply chain attacks are sophisticated because they find ways to pass through undetected computer manufacturers’ security systems. They are also nearly impossible for users to stop. Hackers have even started targeting the development tools used by software engineers to write programs such as the recent attack that used a fake versionOpens a new window of the Apple developer tool Xcode.
Kaspersky said that three other vendors in Asia apart from Asus have suffered from similar incursions. “The selected vendors are extremely attractive targets for APT groups that might want to take advantage of their vast customer base,†said Vitaly Kamluk, director of the global research and analysis team at Kaspersky Lab.
He added that unauthorized execution of code and other methods suggest that the ShadowHammer attack is related to the Barium APT, which had been linked to the CCleaner attack. “This new campaign is another example of how sophisticated and dangerous a smart supply chain attack can be nowadays,†Kamluk said.
While the focus of cybersecurity training has been on educating users to take care of what they click on, supply chain attacks like ShadowHammer shift the onus back on to manufacturers to improve their own internal security systems.