Asus Goes Mute As Hackers Covertly Install Backdoors Using Company Software Update

from the supply-chain-shenanigans dept

According to new analysis by Kaspersky Lab, nearly a million PC and laptop owners may have installed a malicious ASUS software update that embedded a backdoor into their computers without their knowledge. According to the security firm, state-sponsored hackers (presumed to be China) managed to subvert the company's Live Update utility, which is pre-installed on most ASUS computers and is used to automatically update system components such as BIOS, UEFI, drivers and applications.

The malicious file was signed by a legitimate ASUS digital certificate to hide the fact that it wasn't a legitimate software update from the company, with an eye on a very particular target range:

"The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list."

According to Kaspersky, over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time. And while Symantec has confirmed the problem and stated it found 13,000 computers infected with the backdoor, Kaspersky estimates the total number of impacted PC users could be as high as a million.

For its part, Asus isn't helping matters by going entirely mute on the subject. Motherboard was the first to report on the hack (in turn prompting Kaspersky's acknowledgement). But Asus apparently thought that silence was a better idea than owning the problem, confirming the data discovered by researchers, or quickly and accurately informing the company's subscribers:

"This attack shows that the trust model we are using based on known vendor names and validation of digital signatures cannot guarantee that you are safe from malware,” said Vitaly Kamluk, Asia-Pacific director of Kaspersky Lab’s Global Research and Analysis Team who led the research. He noted that ASUS denied to Kaspersky that its server was compromised and that the malware came from its network when the researchers contacted the company in January. But the download path for the malware samples Kaspersky collected leads directly back to the ASUS server, Kamluk said.

Motherboard sent ASUS a list of the claims made by Kaspersky in three separate emails on Thursday but has not heard back from the company."

Yeah, hiding your head in the sand should fix everything. While this hack specifically focused on supply-chain issues, Asus is no stranger to privacy scandals. The company was given a hearty wrist slap by the FTC a few years back for selling routers with paper-mache-grade security. As part of that deal, Asus was required to agree to establish and maintain a comprehensive security program subject to independent audits for the next 20 years. Apparently that didn't help much.

Filed Under: breaches, cybersecurity, hacks, response, software updates, supply chain attack
Companies: asus


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Bamboo Harvester (profile), 26 Mar 2019 @ 9:39am

    This is odd...

    ...What were the 600 systems targeted? That's an awful lot of work to gain access to only 600 machines.

    reply to this | link to this | view in chronology ]

    • identicon
      Rocky, 26 Mar 2019 @ 9:48am

      Re: This is odd...

      It all depends who the owners are and what company or government facility they work for.

      reply to this | link to this | view in chronology ]

      • icon
        Bamboo Harvester (profile), 26 Mar 2019 @ 10:00am

        Re: Re: This is odd...

        Which is why I asked which 600 sites were targeted.

        If they're government, major corporations, etc. it would go a long way to discovering who may be behind it.

        Don't forget that the cracking of that "uncrackable" DRM protection for game software was one guy with a grudge.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 26 Mar 2019 @ 10:48am

          Re: Re: Re: This is odd...

          We will likely never know.

          Kaspersky is unlikely to tell anybody but law enforcement, as doing anything else might put the targets into more danger.

          My personal guess is that the targets were used by cryptocurrency exchanges; this is the place where large sums of money, lack of regulation and people used to use "gamer" hardware for everything meet.

          Another option would be mining pool central servers; being able to direct 25BTC to your own wallet every so often would be damn lucrative!

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 26 Mar 2019 @ 11:25am

            Re: Re: Re: Re: This is odd...

            ASUS is hardly "gamer hardware". Though ASUS machines may be used by people who work at or operate cryptocurrency businesses none of this explains how they collected the MAC addresses used as the target list. If the attacker had enough inside knowledge and access to the machines in question such that they could get the MAC addresses from each they could have just planted the malware at the same time. Hacking into ASUS' servers, or getting an employee on the inside to do so, is a huge undertaking for a malware attack.

            This sounds more like the culmination of a long-term information theft operation aimed at much more lucrative targets than a BTC operation. The resources required to pull this off are fairly extreme, including the slow accumulation of MAC addresses -- information not readily available without access to the hardware. From my own experience, this level of attack is almost always state-sponsored and frequently Chinese. It has all the right fingerprints.

            reply to this | link to this | view in chronology ]

            • icon
              Bamboo Harvester (profile), 26 Mar 2019 @ 11:34am

              Re: Re: Re: Re: Re: This is odd...

              Good point on the MAC addresses.

              My guess would be that they're from a single production run, and were targeted because of who or where they were shipped to.

              Which thickens the plot - I doubt ASUS makes that kind of information public.

              reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 26 Mar 2019 @ 11:27am

            Re: Re: Re: Re: This is odd...

            Side note:

            Kaspersky has an enormous database of past malware. Comparisons of this new malware against that database more than likely pinpoints the source, or at least the authorship. That's far more interesting to me than who was targeted. After all, if you have something of value on a server then you are a target. Who's interested in that something of value tells a much richer story.

            reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Mar 2019 @ 9:55am

      Re: This is odd...

      Whatever the targets that's another issue. What is so damaging here is the way Asus is handling this. We can speculate they are not free to divulge more, whether by gag order from a state entity (cpp, dhs) or by ransomware but whatever the reason it reflects badly on their supply chain. Like Supermicro before them it shows us that purchasing hardware from Taiwan is a risk.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Mar 2019 @ 9:42am

    Virus spreaders should be put to death.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Mar 2019 @ 9:47am

      Re:

      You and everyone you know are virus spreaders. That is a horrible idea. Perhaps virus creators are what you intended.

      reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 26 Mar 2019 @ 2:18pm

      Getting a taste of your own medicine

      Nah, you want to really twist the knife you either prohibit them from using a computer or other similar digital device, or you make it so that they are prohibited from using any form of anti-virus or computer security on any device they are allowed.

      If they are willing to subject others to viruses, then it's only fair they get to experience what it's like themselves after all.

      Over.
      And over.
      And over again.

      reply to this | link to this | view in chronology ]

  • icon
    K`Tetch (profile), 26 Mar 2019 @ 9:43am

    I hate all that damned crapware.

    I have an acer, and it's control center seems to be almost unkillable. Every time I disable it, or remove the process or disable the service, it restarts.

    reply to this | link to this | view in chronology ]

    • icon
      Thad (profile), 26 Mar 2019 @ 10:17am

      Re:

      Can you do a clean Windows install, or is that disabled by the bootloader?

      reply to this | link to this | view in chronology ]

      • icon
        K`Tetch (profile), 26 Mar 2019 @ 12:49pm

        Re: Re:

        that would, at this point, take mroe effort than it's worth.
        plus it's not my laptop, it's my eldest's (I don't like laptops), its just the one I use when I'm on-site on a video job, to dump camera footage onto

        reply to this | link to this | view in chronology ]

        • icon
          Thad (profile), 26 Mar 2019 @ 1:22pm

          Re: Re: Re:

          that would, at this point, take mroe effort than it's worth.

          Yeah, I hear you. Takes me days to get everything back the way I wanted it after I do a clean install.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Mar 2019 @ 10:02am

    Damn ill have to check my pc, i think i didn't install live update, does any abti virus software remove this backdoor or do i specifically have to get kaspersky?

    reply to this | link to this | view in chronology ]

    • identicon
      Rocky, 26 Mar 2019 @ 10:12am

      Re:

      ASUS has posted an update with a tool to diagnose and remove a possible infection.

      Check here: https://www.asus.com/News/hqfgVUyZ6uyAyJe1

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 26 Mar 2019 @ 11:26am

        Re: Re:

        I get "Access Denied" from that link. If it worked, how would users know whether it's a real Asus update?

        reply to this | link to this | view in chronology ]

        • identicon
          Rocky, 26 Mar 2019 @ 11:56am

          Re: Re: Re:

          That's strange. Just verified that the link is valid.

          Regarding the update, it would require some amazing internet ninja-moves to publish a press release as Asus and compromise their site to publish some new malware without anyone picking up on it.

          If you are unsure you can always upload the update to https://www.virustotal.com to get a comprehensive virus check. Caveat: It' doesn't have a 100% detection rate which no anti-virus scanner have, but it's better than just depending on anything you happen to have installed.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 27 Mar 2019 @ 7:27am

            Re: Re: Re: Re:

            Regarding the update, it would require some amazing internet ninja-moves to publish a press release as Asus and compromise their site to publish some new malware without anyone picking up on it.

            Compromising a site, even a high-profile one, does not require "amazing ninja moves". It happens every day. And this story is literally about someone impersonating Asus to publish malware, with a valid certificate and everything, and until people noticed that, no virus-scanner would have caught it.

            BTW, the press-release aggregators have little authentication. See the antics of The Yes Men.

            reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Mar 2019 @ 11:29am

      Re:

      Unless you have one of the targeted MAC addresses then you have nothing to worry about. If you work for the government, one of the national labs, Boeing, etc., then you probably should worry.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Mar 2019 @ 10:23am

    Love ASUS equipment but never truster in update utilities. The closest I come to a convenient update utility is Ninite's website.

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 26 Mar 2019 @ 11:26am

    Bullet dodged

    Curiously I never installed ASUS live update. (Should I?) One of the side effects of a home grown system is the tedious chore of having to install all the bits and pieces individually.

    The Motherboard AI suite has the USB 3.0 drivers and a bunch of other bundled utilities. It didn't install live-update, so I didn't.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Mar 2019 @ 1:44pm

    Given a hearty wrist slap by the FTC...

    Oh no! It's the FTC! Everybody run!

    Not.

    If you're a little guy, the FTC might come down on you. If you're big and important though, they're more likely to go down on you.

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 29 Mar 2019 @ 2:24pm

    So avoid ASUS like the plague, no? Problems happen. Deafening silence must not happen. Ever.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.