Asus Goes Mute As Hackers Covertly Install Backdoors Using Company Software Update

from the supply-chain-shenanigans dept

According to new analysis by Kaspersky Lab, nearly a million PC and laptop owners may have installed a malicious ASUS software update that embedded a backdoor into their computers without their knowledge. According to the security firm, state-sponsored hackers (presumed to be China) managed to subvert the company's Live Update utility, which is pre-installed on most ASUS computers and is used to automatically update system components such as BIOS, UEFI, drivers and applications.

The malicious file was signed by a legitimate ASUS digital certificate to hide the fact that it wasn't a legitimate software update from the company, with an eye on a very particular target range:

"The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list."

According to Kaspersky, over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time. And while Symantec has confirmed the problem and stated it found 13,000 computers infected with the backdoor, Kaspersky estimates the total number of impacted PC users could be as high as a million.

For its part, Asus isn't helping matters by going entirely mute on the subject. Motherboard was the first to report on the hack (in turn prompting Kaspersky's acknowledgement). But Asus apparently thought that silence was a better idea than owning the problem, confirming the data discovered by researchers, or quickly and accurately informing the company's subscribers:

"This attack shows that the trust model we are using based on known vendor names and validation of digital signatures cannot guarantee that you are safe from malware,” said Vitaly Kamluk, Asia-Pacific director of Kaspersky Lab’s Global Research and Analysis Team who led the research. He noted that ASUS denied to Kaspersky that its server was compromised and that the malware came from its network when the researchers contacted the company in January. But the download path for the malware samples Kaspersky collected leads directly back to the ASUS server, Kamluk said.

Motherboard sent ASUS a list of the claims made by Kaspersky in three separate emails on Thursday but has not heard back from the company."

Yeah, hiding your head in the sand should fix everything. While this hack specifically focused on supply-chain issues, Asus is no stranger to privacy scandals. The company was given a hearty wrist slap by the FTC a few years back for selling routers with paper-mache-grade security. As part of that deal, Asus was required to agree to establish and maintain a comprehensive security program subject to independent audits for the next 20 years. Apparently that didn't help much.

Filed Under: breaches, cybersecurity, hacks, response, software updates, supply chain attack
Companies: asus


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 26 Mar 2019 @ 11:25am

    Re: Re: Re: Re: This is odd...

    ASUS is hardly "gamer hardware". Though ASUS machines may be used by people who work at or operate cryptocurrency businesses none of this explains how they collected the MAC addresses used as the target list. If the attacker had enough inside knowledge and access to the machines in question such that they could get the MAC addresses from each they could have just planted the malware at the same time. Hacking into ASUS' servers, or getting an employee on the inside to do so, is a huge undertaking for a malware attack.

    This sounds more like the culmination of a long-term information theft operation aimed at much more lucrative targets than a BTC operation. The resources required to pull this off are fairly extreme, including the slow accumulation of MAC addresses -- information not readily available without access to the hardware. From my own experience, this level of attack is almost always state-sponsored and frequently Chinese. It has all the right fingerprints.


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.