ShadowHammer Asus distributes malware to thousands of computers

[lacion]

Original Story: https://motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers

 

Quote

Kaspersky Lab said it uncovered the attack in January after adding a new supply-chain detection technology to its scanning tool to catch anomalous code fragments hidden in legitimate code or catch code that is hijacking normal operations on a machine. The company plans to release a full technical paper and presentation about the ASUS attack, which it has dubbed ShadowHammer, next month at its Security Analyst Summit in Singapore.

“This attack shows that the trust model we are using based on known vendor names and validation of digital signatures cannot guarantee that you are safe from malware,” said Vitaly Kamluk, Asia-Pacific director of Kaspersky Lab’s Global Research and Analysis Team who led the research. He noted that ASUS denied to Kaspersky that its server was compromised and that the malware came from its network when the researchers contacted the company in January. But the download path for the malware samples Kaspersky collected leads directly back to the ASUS server, Kamluk said

 

It's more than obvious nowadays that the whole automatic updates model is not providing more security to users, in fact, it may be damaging them, it looks like having vendors close sourcing security or software updates is now a successful vector attack for malicious actors, we need more ways to verify that what we are installing is indeed what were suppose to or actually want to install a mere signature is not enough. waiting for the tech paper by Kaspersky here it looks like the attackers actually took full control of Asus distribution servers and were able to get their hands on the certificate used to sign binaries or at least took control of the servers that were doing the signing. 

 

 

 

 

[Ashley MLP Fangirl]

next time on pew news: asus did an oopsie

[Athan Immortal]

Was just on my way to post this. They cast a wide net with this, but were apparently only looking for about 600 machines?

[.Apex.]

Hopefully that doesn't include BIOS updates, have no clue if that's even possible but from all the vulnerabilities discovered on Intel i wouldn't be surprised

[The Benjamins]

33 minutes ago, lacion said:

It's more than obvious nowadays that the whole automatic updates model is not providing more security to users, in fact, it may be damaging them

Well your damned if you do or your damned if you don't.

 

For bugs that lead to huge security holes is mitigated best by automatic updates, but buggy patches or the super rare fake virus patches are prevented by not having automatic updates.

 

so which is the worse of the 2 evils?

 

also if updates are not automatic some users would never get security updates.

[lacion]

2 minutes ago, The Benjamins said:

Well your damned if you do or your damned if you don't.

 

For bugs that lead to huge security holes is mitigated best by automatic updates, but buggy patches or the super rare fake virus patches are prevented by not having automatic updates.

 

so which is the worse of the 2 evils?

 

also if updates are not automatic some users would never get security updates.

I totally see your point there, there is a problem of trust, insecurity generally speaking you should trust no one. so if we updated based on a trusted vendor, we already incurring in insecure practices.

 

what we need are new validation processes where the updater does not assume something is trusted.

[sazrocks]

What software was actually affected?

[jiyeon]

I now fear using my ZenBook, nice. I didn't read into the article too deep, but what software is actually affected and what's the effects of this attack?

[Velcade]

6 minutes ago, seoz said:

I now fear using my ZenBook, nice. I didn't read into the article too deep, but what software is actually affected and what's the effects of this attack?

Too afraid to read the article, eh?

[jiyeon]

10 minutes ago, Velcade said:

Too afraid to read the article, eh?

Yeah, Asus is my favorite hardware brand, I own an Asus motherboard, an Asus graphics card, and have owned used three Asus laptops.

[lacion]

there are no comments yet from either Asus or Karpesky on the details.. so we don't know what was affected. Kaspersky says that it looks like they're about 600 machines targeted but that's the malware was installed in about 500kish machines.  it looks like once the malware from Asus was installed a second server was called to install a backdoor but the server that was being contacted went offline before the exploit was found. so there are a lot of unknowns for now.

 

They mentioned this Reddit thread from 9 months ago, saying that this was the malicious update being distributed. the reason why no one in that thread saw outgoing connections after install is because they were not part of those 600 targeted machines.

 

[imreloadin]

Good thing I only ever install drivers and not any of the other garbage they always try and push on people

[CarlBar]

600 machines targeted, am i the only person suspecting someone's intelligence agency? That far too narrow for a traditional hacker type.

[AkatsukiKun]

They should at least provide some kind of  list of devices that are infected with the malware, anywhere from their Zen phones, Zen notebooks/mainstream laptops, OEM desktops, to say motherboards as well as some kind of timeframe. The last time I updated any ASUS product is my Crosshair VI Hero around June give or take for the BIOS.

[lacion]

1 minute ago, CarlBar said:

600 machines targeted, am i the only person suspecting someone's intelligence agency? That far too narrow for a traditional hacker type.

or they were just known target that could get them money, maybe private companies to infect with ransomware

[RejZoR]

The first thing I always do on big brand devices is to format the drive and install Windows clean without all that junk. Apparently, that rule still applies.

 

avast! had a similar incident few years ago which was an inside job or at least done from the inside. I'd say this is a pretty similar situation.

[DragonTamer1]

I'm wondering if this is related to the RGB security vulnerability from a few months ago.

[Unixsystem]

8 hours ago, The Benjamins said:

Well your damned if you do or your damned if you don't.

 

For bugs that lead to huge security holes is mitigated best by automatic updates, but buggy patches or the super rare fake virus patches are prevented by not having automatic updates.

 

so which is the worse of the 2 evils?

 

also if updates are not automatic some users would never get security updates.

If I'm going to get virus, I'd much prefer that it be because I was too lazy to update rather than because some compromised update got pushed to my PC while I was at work and I had no choice in the matter.

 

If companies want to encourage users to update more frequently, maybe they should spend more effort adding worthwhile and bug tested features and less trying to be their digital babysitter. 

[NumLock21]

Some of the Asus boards has a driver update that's built into the bios. 

 

https://www.techpowerup.com/248827/asus-z390-motherboards-automatically-push-software-into-your-windows-installation

 

[captain_to_fire]

Basically legit update processes can be hijacked and Kaspersky informed them immediately but Asus shrugged it off and told them to sign a NDA. Wut? 

 Kaspersky’s report: https://securelist.com/operation-shadowhammer/89992/ 

[captain_to_fire]

12 hours ago, seoz said:

I now fear using my ZenBook, nice. I didn't read into the article too deep, but what software is actually affected and what's the effects of this attack?

You can check if your PC is one of the 600 targets of Shadow Hammer by putting your MAC address https://shadowhammer.kaspersky.com/ 

 

It’s a standard practice among antivirus vendors to share signatures if it’s something serious and widespread so as long as yours is up to date, you’re now protected against it. 

[aezakmi]

And they called me a retard for saying BIOS Setup was and is the best way of controlling your PC and that none of the softwares bundled with the boards are even necessary or useful

 

>well well well

WHO'S THE RETARD NOW?

 

[lacion]

7 hours ago, captain_to_fire said:

Basically legit update processes can be hijacked and Kaspersky informed them immediately but Asus shrugged it off and told them to sign a NDA. Wut? 

 Kaspersky’s report: https://securelist.com/operation-shadowhammer/89992/ 

come people in management do not deserve their job.

 

in my last job every time we got an email with some hack disclosure everyone rushed to verify and what we could do to fix it, never asked anyone to sign an NDA.

 

these companies need to update their security procedures, security by obscurity is BS.

[captain_to_fire]

18 minutes ago, lacion said:

come people in management do not deserve their job.

 

in my last job every time we got an email with some hack disclosure everyone rushed to verify and what we could do to fix it, never asked anyone to sign an NDA.

 

these companies need to update their security procedures, security by obscurity is BS.

So it seems that last year some users discovered a shady Asus update which was discussed in this subreddit. 

It remained undetected by every antivirus until Kaspersky updated their detection algorithms to detect supply chain anomalies. I don’t see any reason why Asus would force Kaspersky to sign a NDA and not inform their users about a malicious update that hitchhiked their supply chain. 

 

[Sauron]

17 hours ago, CarlBar said:

600 machines targeted, am i the only person suspecting someone's intelligence agency? That far too narrow for a traditional hacker type.

Might have been someone trying to slip under the radar