Jonathan Crowe

ASUS Supply Chain Attack Possibly Infected Half a Million Computers: How to Tell If You’re Affected

ASUS supply chain attack 2018

On Monday, Kim Zetter at Motherboard broke the news that attackers had hijacked the software update tool for ASUS, one of the largest computer makers in the world. Researchers estimate the tool was used to install backdoors on hundreds of thousands of machines between June and November 2018. Here’s what you and your clients need to know.

What happened? Quick facts:

  • Attackers compromised the ASUS Live Update Utility, which comes pre-installed on ASUS notebooks and automatically installs firmware and software updates.
  • They used compromised versions of Live Update to deliver malware to ASUS notebooks from June 2018 to November 2018. Versions of Live Update confirmed to be vulnerable include 3.5.9, 3.6.0, 3.6.2, and 3.6.5. During that time legitimate updates continued to be sent out, too, however, so not every user was infected.
  • The malware masqueraded as an update to the update tool, and was signed with one of two legitimate ASUS certificates. As a result, the malware was able to evade detection by signaling to users and security programs it was a trusted file.
  • Once installed, the malware checked victim MAC addresses to see if it had landed on one of at least 600 specific targets. If confirmed, it called out to a site disguised as a legitimate ASUS site (asushotfix[dot]com) and downloaded a second-stage payload. Otherwise, all victims were left with the initial backdoor installed.
  • Researchers at antivirus company Kaspersky believe the attack’s surgical targeting, along with other indicators, suggest it is the work of a sophisticated threat actor. They have officially dubbed the attack “Operation ShadowHammer,” and suggest it may be linked to previous supply chain attacks, including the 2017 CCleaner supply chain attack that infected 2.3 million users worldwide.
  • After initially denying the compromise, ASUS has issued a statement confirming a “small number of devices have been implanted with malicious code.” The company says the latest version of Live Update (3.6.8) is secure, though there have been reports of difficulty updating to that version, and it does not appear to be currently available for manual download from the ASUS website (despite ASUS indicating the contrary). In addition, the certificate used to sign the malware has not yet been revoked.

 

Operation ShadowHammer Timeline

Click to expand

Why is this a big deal?

1) Exposure to this malware was massive

ASUS is the world’s fifth-largest PC vendor, accounting for six percent of the PC market. The reach of this supply chain attack — carried out for at least five months — was extensive. Kaspersky found the malicious updater installed on 57,000 of its own customers, but researchers at the company estimate the total number of infected machines outside their customer base could potentially exceed one million.

ShadowHammer victims by country

Kaspersky customers infected by ShadowHammer, by country. Source: Kaspersky

 

Security firm Symantec confirmed Kaspersky findings with Zetter, and reported at least 13,000 of its own customers had also been infected by the malware.

2) The malware was able to slip past defenses undetected

Supply chain attacks like this one are difficult to defend against. In this case, attackers were able to wrap their malware in several layers of legitimacy:

  • The malware was installed via ASUS’s trusted update application
  • Attackers constructed the malware by injecting malicious code into a legitimate ASUS update file from 2015
  • The malware was digitally signed with a legitimate ASUS certificate (serial number 05e6a0be5ac359c7ff11f4b467ab20fc)

 

The ASUS certificate attackers used to sign malicious ASUS Live Update installer files. Source: Kaspersky

 

As a result, it was able to convincingly pass as an authentic update, tricking security programs and even users who were savvy enough to upload the files to VirusTotal, which reported them clean.

 

3) With backdoors installed, victims are vulnerable to a variety of threats

While only a small pre-determined list of MAC addresses were targeted to receive the second-stage payload, all of victims who received the malicious update installer between June and November 2018 still have malware on their systems.

The good news is the command-and-control server that delivered the second-stage payload was shut down in November, but until we know more about the malware’s capabilities victims have to assume there is some amount of risk even if they weren’t one of the ~600 targeted MAC addresses.

Researcher Vitali Kremez suggests that, in those cases, wiping machines may be overkill, but MSPs and admins should ensure ASUS Live Update has been updated to the latest version (3.6.8) and monitor affected machines more closely.

 

How can you determine if you or your clients are affected?

In short

  • Rule out the possibility machines were targeted to receive the second-stage payload by using Kaspsersky’s tool here
  • Check for the presence of the IOC hashes here
  • Check for presence of the file “.idx.ini”

More details

Kaspersky has an online tool you can use to determine if your MAC address is one of the 600 that the attackers were targeting for second-stage payload delivery.

Kaspersky ShadowHammer MAC address tool

Note: If your MAC address does show up as a match it’s not reason to panic just yet. Researchers point out a small number of the MACs may be providing false alarms.

Unfortunately, what the Kaspersky tool doesn’t tell you is whether you had a backdoored version of Live Update installed. Although they do provide a small number of hashes and other indicators of compromise (IOCs) here.

ASUS has also made a “security diagnostic tool” available, but it is unclear whether it simply checks your MAC address or helps you identify the other signs of infection. If you’re feeling brave enough to download the program (ASUS did just suffer a supply chain attack, after all), you may have difficulties running it, however.

Womp. womp.

UPDATE 3/27/19: Thanks to analysis from researcher Vitali Kremez, we now have an additional IOC. If the victim’s MAC address does NOT match with an address on the hardcoded list then the malware creates a file called .idx.ini in the user directory. The purpose of the file is unclear, but its presence is an indication that the machine was in fact infected with a backdoored version of ASUS Live Update, but no second-stage payload was delivered.

 

What else can you do now to protect yourself and your clients?

  • If you have ASUS notebooks in your environments, make sure the latest version of Live Update (3.6.8) is installed. Warning: If you go to the ASUS support site to download the update directly take note that ASUS is still pointing to older versions of Live Update.

  • Monitor for / block the hash IOCs provided by Kaspersky and Florian Roth.
  • Monitor any potentially affected machines more closely in general using your RMM.
  • Make sure you’re backing up your systems, your security software is up-to-date, and you’re taking practical steps to harden your systems and reduce your attack surface (we’ve got a new checklist that can help).

 

We’ll be following this story closely. For updates on it and other security issues affecting MSPs and clients subscribe to our blog.

In the meantime, you can download our 2019 MSP Cybersecurity Checklist here.