An attack on the update system for ASUS personal computers running Microsoft Windows allowed attackers to inject backdoor malware into thousands of computers, according to researchers at Kaspersky Labs. The attack, reported today on Motherboard by Kim Zetter, took place last year and dropped malicious software signed with ASUS’ own digital certificate—making the software look like a legitimate update.
The traces of the attack were discovered by Kaspersky in January 2019, but it actually occurred between June and November 2018. Called “ShadowHammer” by Kaspersky, the attack targeted specific systems based on a range of MAC addresses. That target group, however, was substantial. According to a blog post by a Kaspersky spokesperson:
Over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time… We are not able to calculate the total count of affected users based only on our data; however, we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide.
Nearly half of the affected systems detected by Kaspersky were computers in Russia, Germany, and France—though this number may be more representative of where Kaspersky users with ASUS computers were rather than the actual geographic distribution. The domain associated with the attack, asushotfix.com, was hosted on a server with an IP address in Russia.
The backdoor malware was uncovered when Kaspersky added new code to its endpoint-protection tool. That tool is aimed at detecting supply-chain security breaches by scanning the contents of signed software updates for malware hidden within legitimate update code. A full paper on the ASUS attack will be presented in April at Kaspersky’s Security Analyst Summit in Singapore.
Supply-chain attacks—attempts to compromise the infrastructure that delivers software updates or the developers’ own software development operations—are on the rise. In October 2018, two separate supply-chain attacks were uncovered: one on the VestaCP control panel software used to manage shared hosting environments and another on a popular Python code repository. These sorts of attacks can spread malicious code widely across systems, making them easily discoverable and vulnerable to takeover by an attacker.