ASUS update utility hack may have delivered malware to 1 million users

Kasperky Labs today announced the discovery of a wide-ranging supply-chain attack that was used to install a backdoor onto hundreds of thousands of ASUS computers. The hackers responsible for the attack, which Kaspersky is calling ShadowHammer, gained access to the ASUS Live Update Utility and modified it with this backdoor, which means that ASUS was unknowingly distributing the malware to its customers.

ShadowHammer seems to be a sophisticated attack, as Kaspersky says that the file was signed with ASUS digital certificates, which gave it the illusion of legitimacy. Beyond that, the compromised utility was stored on ASUS's update servers and was even the same size as the original file, so it seems these hackers went to pretty specific lengths to make sure their malware wasn't discovered.

Kaspersky said today that it has identified 57,000 of its own users who have downloaded the compromised utility, but it estimates that there are perhaps more than a million machines out there running this software. One particularly interesting thing to note about this attack is that in the vast majority of cases, that malware was sitting dormant on users' computers. Kaspersky notes that the attack seemed to be targeting an "unknown pool of users" by the MAC addresses associated with their network adapters.

In an extensive report published today, Motherboard writes that when malware detected a MAC address it was looking for, it "reached out to a command-and-control server the attackers operated, which then installed additional malware on those machines." Kaspersky was able to find 600 hashed MAC addresses the malware was seeking, though there may be more targets of this attack.

Even though most people infected with this malware weren't specifically targeted, this news gives pause because that utility was still loading a backdoor onto many ASUS machines. Kasperky says that it first discovered this attack on January 29 and notified ASUS of its finding on January 31, which was followed by an in-person meeting between the two companies on February 14. Vitaly Kamluk, who led Kaspersky's research on this attack, told Motherboard that ASUS has been "largely unresponsive" since that February meeting and hasn't notified customers of the attack.

All told, the attack happened between July and November 2018, though Kaspersky says that its investigation is still ongoing. Full results and a technical paper about Kaspersky's findings will be presented during SAS 2019 in April, so we'll have to wait until next month for more details. Even though the investigation is still in progress, it's pretty clear that this supply-chain attack is a big deal. Stay tuned for more.