Log in or Sign up

Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers

Discussion in 'Frontpage news' started by BetA, Mar 25, 2019.

Page 1 of 2

BetA Ancient Guru

Messages:

4,207

Likes Received:

179

GPU:

MSI GTX670 PEOC@1350Mhz

Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers

The Taiwan-based tech giant ASUS is believed to have pushed the malware to hundreds of thousands of customers through its trusted automatic software update tool after attackers compromised the company’s server and used it to push the malware to machines.

Researchers at cybersecurity firm Kaspersky Lab say that ASUS, one of the world’s largest computer makers, was used to unwittingly install a malicious backdoor on thousands of its customers’ computers last year after attackers compromised a server for the company’s live software update tool. The malicious file was signed with legitimate ASUS digital certificates to make it appear to be an authentic software update from the company, Kaspersky Lab says.
ASUS, a multi-billion dollar computer hardware company based in Taiwan that manufactures desktop computers, laptops, mobile phones, smart home systems, and other electronics, was pushing the backdoor to customers for at least five months last year before it was discovered, according to new research from the Moscow-based security firm.

The researchers estimate half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems. The malware searched for targeted systems through their unique MAC addresses. Once on a system, if it found one of these targeted addresses, the malware reached out to a command-and-control server the attackers operated, which then installed additional malware on those machines.

Kaspersky Lab said it uncovered the attack in January after adding a new supply-chain detection technology to its scanning tool to catch anomalous code fragments hidden in legitimate code or catch code that is hijacking normal operations on a machine. The company plans to release a full technical paper and presentation about the ASUS attack, which it has dubbed ShadowHammer, next month at its Security Analyst Summit in Singapore. In the meantime, Kaspersky has published some of the technical details on its website.

"“We saw the updates come down from the Live Update ASUS server. They were trojanized, or malicious updates, and they were signed by ASUS.""

The issue highlights the growing threat from so-called supply-chain attacks, where malicious software or components get installed on systems as they’re manufactured or assembled, or afterward via trusted vendor channels. Last year the US launched a supply chain task force to examine the issue after a number of supply-chain attacks were uncovered in recent years. Although most attention on supply-chain attacks focuses on the potential for malicious implants to be added to hardware or software during manufacturing, vendor software updates are an ideal way for attackers to deliver malware to systems after they’re sold, because customers trust vendor updates, especially if they’re signed with a vendor’s legitimate digital certificate.
“This attack shows that the trust model we are using based on known vendor names and validation of digital signatures cannot guarantee that you are safe from malware,” said Vitaly Kamluk, Asia-Pacific director of Kaspersky Lab’s Global Research and Analysis Team who led the research. He noted that ASUS denied to Kaspersky that its server was compromised and that the malware came from its network when the researchers contacted the company in January. But the download path for the malware samples Kaspersky collected leads directly back to the ASUS server, Kamluk said.

Motherboard sent ASUS a list of the claims made by Kaspersky in three separate emails on Thursday but has not heard back from the company.
Read more: What Is a 'Supply Chain Attack?'
But the US-based security firm Symantec confirmed the Kaspersky findings on Friday after being asked by Motherboard to see if any of its customers also received the malicious download. The company is still investigating the matter but said in a phone call that at least 13,000 computers belonging to Symantec customers were infected with the malicious software update from ASUS last year.

“We saw the updates come down from the Live Update ASUS server. They were trojanized, or malicious updates, and they were signed by ASUS,” said Liam O’Murchu, director of development for the Security Technology and Response group at Symantec.
This is not the first time attackers have used trusted software updates to infect systems. The infamous Flame spy tool, developed by some of the same attackers behind Stuxnet, was the first known attack to trick users in this way by hijacking the Microsoft Windows updating tool on machines to infect computers. Flame, discovered in 2012, was signed with an unauthorized Microsoft certificate that attackers tricked Microsoft’s system into issuing to them. The attackers in that case did not actually compromise Microsoft’s update server to deliver Flame. Instead, they were able to redirect the software update tool on the machines of targeted customers so that they contacted a malicious server the attackers controlled instead of the legitimate Microsoft update server.

Two different attacks discovered in 2017 also compromised trusted software updates. One involved the computer security cleanup tool known as CCleaner that was delivering malware to customers via a software update. More than 2 million customers received that malicious update before it was discovered. The other incident involved the infamous notPetya attack that began in Ukraine and infected machines via a malicious update to an accounting software package.
Costin Raiu, company-wide director of Kaspersky’s Global Research and Analysis Team, said the ASUS attack is different from these others. “I’d say this attack stands out from previous ones while being one level up in complexity and stealthiness. The filtering of targets in a surgical manner by their MAC addresses is one of the reasons it stayed undetected for so long. If you are not a target, the malware is virtually silent,” he told Motherboard.
But even if silent on non-targeted systems, the malware still gave the attackers a backdoor into every infected ASUS system.

Tony Sager, senior vice president at the Center for Internet Security who did defensive vulnerability analysis for the NSA for years, said the method the attackers chose to target specific computers is odd.

“Supply chain attacks are in the ‘big deal’ category and are a sign of someone who is careful about this and has done some planning,” he told Motherboard in a phone call. “But putting something out that hits tens of thousands of targets when you’re really going only after a few is really going after something with a hammer.”
Kaspersky researchers first detected the malware on a customer’s machine on January 29. After they created a signature to find the malicious update file on other customer systems, they discovered that more than 57,000 Kaspersky customers had been infected with it. That victim toll only accounts for Kaspersky customers, however. Kamluk said the real number is likely in the hundreds of thousands.

Most of the infected machines belonging to Kaspersky customers (about 18 percent) were in Russia, followed by fewer numbers in Germany and France. Only about 5 percent of infected Kaspersky customers were in the United States. Symantec’s O’Murchu said that about 15 percent of the 13,000 machines belonging to his company’s infected customers were in the U.S.
Kamluk said Kaspersky notified ASUS of the problem on January 31, and a Kaspersky employee met with ASUS in person on February 14. But he said the company has been largely unresponsive since then and has not notified ASUS customers about the issue.
The attackers used two different ASUS digital certificates to sign their malware. The first expired in mid-2018, so the attackers then switched to a second legitimate ASUS certificate to sign their malware after this.

Kamluk said ASUS continued to use one of the compromised certificates to sign its own files for at least a month after Kaspersky notified the company of the problem, though it has since stopped. But Kamluk said ASUS has still not invalidated the two compromised certificates, which means the attackers or anyone else with access to the un-expired certificate could still sign malicious files with it, and machines would view those files as legitimate ASUS files.
This wouldn't be the first time ASUS was accused of compromising the security of its customers. In 2016, the company was charged by the Federal Trade Commission with misrepresentation and unfair security practices over multiple vulnerabilities in its routers, cloud back-up storage and firmware update tool that would have allowed attackers to gain access to customer files and router log-in credentials, among other things. The FTC claimed ASUS knew about those vulnerabilities for at least a year before fixing them and notifying customers, putting nearly a million US router owners at risk of attack. ASUS settled the case by agreeing to establish and maintain a comprehensive security program that would be subject to independent audit for 20 years.

The ASUS live update tool that delivered malware to customers last year is installed at the factory on ASUS laptops and other devices. When users enable it, the tool contacts the ASUS update server periodically to see if any firmware or other software updates are available.

"“They wanted to get into very specific targets and they already knew in advance their network card MAC address, which is quite interesting.”"

The malicious file pushed to customer machines through the tool was called setup.exe, and purported to be an update to the update tool itself. It was actually a three-year-old ASUS update file from 2015 that the attackers injected with malicious code before signing it with a legitimate ASUS certificate. The attackers appear to have pushed it out to users between June and November 2018, according to Kaspersky Lab. Kamluk said the use of an old binary with a current certificate suggests the attackers had access to the server where ASUS signs its files but not the actual build server where it compiles new ones. Because the attackers used the same ASUS binary each time, it suggests they didn’t have access to the whole ASUS infrastructure, just part of the signing infrastructure, Kamluk notes. Legitimate ASUS software updates still got pushed to customers during the period the malware was being pushed out, but these legitimate updates were signed with a different certificate that used enhanced validation protection, Kamluk said, making it more difficult to spoof.

The Kaspersky researchers collected more than 200 samples of the malicious file from customer machines, which is how they discovered the attack was multi-staged and targeted.
Buried in those malicious samples were hard-coded MD5 hash values that turned out to be unique MAC addresses for network adapter cards. MD5 is an algorithm that creates a cryptographic representation or value for data that is run through the algorithm. Every network card has a unique ID or address assigned by the manufacturer of the card, and the attackers created a hash of each MAC address it was seeking before hard-coding those hashes into their malicious file, to make it more difficult to see what the malware was doing. The malware had 600 unique MAC addresses it was seeking, though the actual number of targeted customers may be larger than this. Kaspersky can only see the MAC addresses that were hard-coded into the particular malware samples found on its customers’ machines.

The Kaspersky researchers were able to crack most of the hashes they found to determine the MAC addresses, which helped them identify what network cards the victims had installed on their machines, but not the victims themselves. Any time the malware infected a machine, it collected the MAC address from that machine’s network card, hashed it, and compared that hash against the ones hard-coded in the malware. If it found a match to any of the 600 targeted addresses, the malware reached out to asushotfix.com, a site masquerading as a legitimate ASUS site, to fetch a second-stage backdoor that it downloaded to that system. Because only a small number of machines contacted the command-and-control server, this helped the malware stay under the radar.

“They were not trying to target as many users as possible,” said Kamluk. “They wanted to get into very specific targets and they already knew in advance their network card MAC address, which is quite interesting.”

Symantec’s O’Murchu said he’s not sure yet if any of his company’s customers were among those whose MAC addresses were on the target list and received the second-stage backdoor.
The command-and-control server that delivered the second-stage backdoor was registered May 3 last year but was shut down in November before Kaspersky discovered the attack. Because of this, the researchers were unable to obtain a copy of the second-stage backdoor pushed out to victims or identify victim machines that had contacted that server. Kaspersky believes at least one of its customers in Russia got infected with the second-stage backdoor when his machine contacted the command-and-control server on October 29 last year, but Raiu says the company doesn’t know the identity of the machine’s owner in order to contact him and investigate further.

There were early hints that a signed and malicious ASUS update was being pushed to users in June 2018, when a number of people posted comments in a Reddit forum about a suspicious ASUS alert that popped up on their machines for a “critical” update. “ASUS strongly recommends that you install these updates now,” the alert warned.
In a post titled “ASUSFourceUpdater.exe is trying to do some mystery update, but it won't say what,” a user named GreyWolfx wrote, “I got an update popup from a .exe that I had never seen before today….I’m just curious if anyone knows what this update would possibly be for?”
When he and other users clicked on their ASUS updater tool to get information about the update, the tool showed no recent updates had been issued from ASUS. But because the file was digitally signed with an ASUS certificate and because scans of the file on the VirusTotal web site indicated it was not malicious, many accepted the update as legitimate and downloaded it to their machines. VirusTotal is a site that aggregates dozens of antivirus programs; users can upload suspicious files to the site to see if any of the tools detect it as malicious.

“I uploaded the executable [to VirusTotal] and it comes back as a validly signed file without issue,” one user wrote. “The spelling of 'force' and the empty details window are indeed odd, but I noticed odd grammar errors in other ASUS software installed on this system, so it's not a smoking gun by itself,” he noted.

Kamluk and Raiu said this may not be the first time the ShadowHammer attackers have struck. They said they found similarities between the ASUS attack and ones previously conducted by a group dubbed ShadowPad by Kaspersky. ShadowPad targeted a Korean company that makes enterprise software for administering servers; the same group was also linked to the CCleaner attack. Although millions of machines were infected with the malicious CCleaner software update, only a subset of these got targeted with a second stage backdoor, similar to the ASUS victims. Notably, ASUS systems themselves were on the targeted CCleaner list.
The Kaspersky researchers believe the ShadowHammer attackers were behind the ShadowPad and CCleaner attacks and obtained access to the ASUS servers through the latter attack.

“ASUS was one of the primary targets of the CCleaner attack,” Raiu said. “One of the possibilities we are taking into account is that’s how they intially got into the ASUS network and then later through persistence they managed to leverage the access … to launch the ASUS attack.”
Click to expand...

source:
https://motherboard.vice.com/en_us/...o-install-backdoors-on-thousands-of-computers

Last edited: Mar 26, 2019

BetA, Mar 25, 2019

#1

lucidus likes this.
GREGIX Master Guru

Messages:

574

Likes Received:

56

GPU:

MSI 1080 /AMD v7

Nice....never trusted their software anyway, always something was wrong with installer on my z97

GREGIX, Mar 25, 2019

#2

BlackZero likes this.
fantaskarsef Ancient Guru

Messages:

11,277

Likes Received:

3,327

GPU:

2080Ti @h2o

Never use such a software by principle myself, but I'm fairly sure there's a lot of people doing it. Also, from the linked article:

“They were not trying to target as many users as possible,” said Kamluk. “They wanted to get into very specific targets and they already knew in advance their network card MAC address, which is quite interesting.”
Click to expand...

fantaskarsef, Mar 25, 2019

#3

BlackZero likes this.
BlackZero Ancient Guru

Messages:

8,880

Likes Received:

474

GPU:

RX Vega

Espionage, I hear.

BlackZero, Mar 25, 2019

#4

fantaskarsef likes this.
fantaskarsef Ancient Guru

Messages:

11,277

Likes Received:

3,327

GPU:

2080Ti @h2o

BlackZero said: ↑

Espionage, I hear.
Click to expand...

In the article, at one point they hint at the hackers behind this might be connected to Stuxnet etc., so they're not after stealing credit cards

fantaskarsef, Mar 25, 2019

#5

BlackZero likes this.
schmidtbag Ancient Guru

Messages:

4,712

Likes Received:

1,506

GPU:

HIS R9 290

Stuff like this is why I always prefer to do a complete fresh OS install whenever I get a new PC. Pre-built PCs come with so much useless, bloated, and insecure crap that nobody asked for.

schmidtbag, Mar 25, 2019

#6

Jagman, KissSh0t, fantaskarsef and 1 other person like this.
tsunami231 Ancient Guru

Messages:

9,955

Likes Received:

424

GPU:

EVGA 1070Ti Black

BetA said: ↑

Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers

source:
https://motherboard.vice.com/en_us/...o-install-backdoors-on-thousands-of-computers
Click to expand...

i dont even install there "software" I dont even use Asus Firmware on my AC66U.

Any any PC i ever bought that was "prebuilt" by any company that make PC is isntantly Debloated or even clean installed of windows

tsunami231, Mar 25, 2019

#7

fantaskarsef likes this.
HeavyHemi Ancient Guru

Messages:

6,486

Likes Received:

711

GPU:

GTX1080Ti

Wait a minute....

'But the US-based security firm Symantec confirmed the Kaspersky findings on Friday after being asked by Motherboard to see if any of its customers also received the malicious download. The company is still investigating the matter but said in a phone call that at least 13,000 computers belonging to Symantec customers were infected with the malicious software update from ASUS last year.

So Symantec is saying they MISSED this or they caught it and did not report a compromised server(s) to ASUS?

HeavyHemi, Mar 25, 2019

#8

fantaskarsef likes this.
HeavyHemi Ancient Guru

Messages:

6,486

Likes Received:

711

GPU:

GTX1080Ti

schmidtbag said: ↑

Stuff like this is why I always prefer to do a complete fresh OS install whenever I get a new PC. Pre-built PCs come with so much useless, bloated, and insecure crap that nobody asked for.
Click to expand...

How would that help you when the issue came from ASUS or the maker? The analog would be if your NIC driver or motherboard drivers were infected when you naturally update those from doing a base OS install. Or do you just run with the basic generic drivers?

HeavyHemi, Mar 25, 2019

#9
schmidtbag Ancient Guru

Messages:

4,712

Likes Received:

1,506

GPU:

HIS R9 290

HeavyHemi said: ↑

How would that help you when the issue came from ASUS or the maker? The analog would be if your NIC driver or motherboard drivers were infected when you naturally update those from doing a base OS install. Or do you just run with the basic generic drivers?
Click to expand...

I avoid OEM drivers wherever possible too. They too are really bloated and poorly maintained. If a non-GPU (and in some cases, non-audio driver) ends up being more than 5MB, I'm not installing it. My priority for drivers goes:
1. Windows built-in drivers (where available, and only for "simple" devices like NICs or SATA controllers).
2. The chipset manufacturer's drivers.
3. OEM-supplied drivers.
I'll sometimes use the OEM drivers if I'm having a hard time getting the first 2 to work, or, if I don't know what the chipset is and don't feel like finding out; Windows is such a PITA to find such things. I don't know why it doesn't let you probe all PCI and USB devices for their chipset like every other modern OS does so easily out-of-the-box.

schmidtbag, Mar 25, 2019

#10
D3M1G0D Ancient Guru

Messages:

2,077

Likes Received:

1,331

GPU:

2 x GeForce 1080 Ti

Figures. I buy an ASUS motherboard after having used MSI for the longest thing, and then this happens. I'm pretty sure I didn't install any automatic update software but I'll need to double-check when I get home. Very disappointing.

D3M1G0D, Mar 25, 2019

#11
ruthan Master Guru

Messages:

295

Likes Received:

24

GPU:

G970/3.5G MSI

It is not good for Antivirus companies neither, 5 months without detection..

ruthan, Mar 25, 2019

#12

GSDragoon, fantaskarsef and airbud7 like this.
airbud7 Ancient Guru

Messages:

7,728

Likes Received:

4,569

GPU:

pny gtx 1060 xlr8

ruthan said: ↑

It is not good for Antivirus companies neither, 5 months without detection..
Click to expand...

that's what I was thinking too

airbud7, Mar 25, 2019

#13

K.S. likes this.
K.S. Ancient Guru

Messages:

2,090

Likes Received:

547

GPU:

EVGA RTX 2080 Ti XC

Thank god I'm not procuring my ASUStek with ASUS LiveUpdate.... AISuite etc

Someone's getting fired, someone's getting sued... someone likely violated GDRP...

K.S., Mar 26, 2019

#14

airbud7 likes this.
Petr V Master Guru

Messages:

289

Likes Received:

80

GPU:

Gtx over 9000

Only Asus software updates?

Petr V, Mar 26, 2019

#15
BetA Ancient Guru

Messages:

4,207

Likes Received:

179

GPU:

MSI GTX670 PEOC@1350Mhz
UPDATE::

ASUS response to the recent media reports regarding ASUS Live Update tool attack by Advanced Persistent Threat (APT) groups

2019/03/26
ASUS response to the recent media reports regarding ASUS Live Update tool attack by Advanced Persistent Threat (APT) groups
Advanced Persistent Threat (APT) attacks are national-level attacks usually initiated by a couple of specific countries, targeting certain international organizations or entities instead of consumers.
ASUS Live Update is a proprietary tool supplied with ASUS notebook computers to ensure that the system always benefits from the latest drivers and firmware from ASUS. A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group. ASUS customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed.
ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future.
Additionally, we have created an online security diagnostic tool to check for affected systems, and we encourage users who are still concerned to run it as a precaution. The tool can be found here: https://dlcdnets.asus.com/pub/ASUS/nb/Apps_for_Win10/ASUSDiagnosticTool/ASDT_v1.0.1.0.zip
Users who have any additional concerns are welcome to contact ASUS Customer Service.
More information about APT groups: https://www.fireeye.com/current-threats/apt-groups.html

How do I know whether or not my device has been targeted by the malware attack?
Only a very small number of specific user group were found to have been targeted by this attack and as such it is extremely unlikely that your device has been targeted. However, if you are still concerned about this matter, feel free to use ASUS’ security diagnostic tool or contact ASUS Customer Service for assistance.

What should I do if my device is affected?
Immediately run a backup of your files and restore your operating system to factory settings. This will completely remove the malware from your computer. In order to ensure the security of your information, ASUS recommends that you regularly update your passwords.

How do I make sure that I have the latest version of ASUS Live Update?
You can find out whether or not you have the latest version of ASUS Live Update by following the instructions shown in the link below:
https://www.asus.com/support/FAQ/1018727/

Have other ASUS devices been affected by the malware attack?
No, only the version of Live Update used for notebooks has been affected. All other devices remain unaffected.

Click to expand...

https://www.asus.com/News/hqfgVUyZ6uyAyJe1

heres the DIAGNOSIS TOOL from asus:
https://dlcdnets.asus.com/pub/ASUS/nb/Apps_for_Win10/ASUSDiagnosticTool/ASDT_v1.0.1.0.zip

cheers
BetA, Mar 26, 2019

#16
gdmaclew Member

Messages:

44

Likes Received:

12

GPU:

Sapphire RX-580 4GB

The only problem with the DIAGNOSIS TOOL is that even if you have an ASUS motherboard it gives you an error message - "only for ASUS machine!" The exclamation point it theirs not mine.

gdmaclew, Mar 26, 2019

#17
INSTG8R Ancient Guru

Messages:

1,553

Likes Received:

58

GPU:

Nitro+ Vega 64

gdmaclew said: ↑

The only problem with the DIAGNOSIS TOOL is that even if you have an ASUS motherboard it gives you an error message - "only for ASUS machine!" The exclamation point it theirs not mine.
Click to expand...

This only affected notebooks so I’m not surprised by the error.

INSTG8R, Mar 26, 2019

#18
alanm Ancient Guru

Messages:

9,069

Likes Received:

1,401

GPU:

Asus 2080 Dual OC

“Supply chain attacks are in the ‘big deal’ category and are a sign of someone who is careful about this and has done some planning,”..... “They wanted to get into very specific targets and they already knew in advance their network card MAC address, which is quite interesting.” .... as well as using digital certificates.

I'll bet some spy agency, CIA, Mossad, Russian intel, etc, are involved. The capabilities and resources needed to pull this sort of thing off are just not what you would see from your regular run of the mill hackers

alanm, Mar 26, 2019

#19
BetA Ancient Guru

Messages:

4,207

Likes Received:

179

GPU:

MSI GTX670 PEOC@1350Mhz

updated Pics in first post...

BetA, Mar 26, 2019

#20

fantaskarsef likes this.

(You must log in or sign up to reply here.)

Page 1 of 2

Share This Page