Asus breach highlights software supply chain risk

Software supply chain attacks represent a growing threat, and Asus is just one example.
26 March 2019

Asus store in Hong Kong. Source: Shutterstock

More than one million Asus laptops could have been hacked using the Asus Live Update Utility, according to a report by cybersecurity software provider Kaspersky Labs.

According to the first report on Motherboard, the Taiwanese tech company is believed to have directed malware to “hundreds of thousands” of customers through its trusted automatic software update tools after attackers compromised the company’s server.

As a result, malicious actors were able to install a ‘backdoor’ on thousands of laptops last year.

The file the attackers used was signed with legitimate Asus certification, so it appeared authentic, according to Kaspersky. Even the file size was kept the same as the original to further reduce the risk of detection.

While the issue has since been resolved, the company was pushing the malware to customers for five months before it was discovered in January this year.

Kaspersky estimates half a million Windows machines were subject to the attack, but it found attackers were only targeting 600 of those devices. The malware searched for targeted systems through unique MAC addresses and subsequently installed additional malware once a vulnerable machine was detected.

The ongoing attack was uncovered by Kaspersky after it deployed a new supply-chain detection technology— which combs legitimate code for anomalies and catches hijacking code in a machine’s normal operations.

Dubbing the attack “ShadowHammer”, the Russian cybersecurity firm plans to release more detail about its discovery of the attack (and the new tool) at next month’s Security Analyst Summit in Singapore. That’s led some to question the timing of its discovery as a possible publicity stunt.

Nonetheless, the company notified Asus— the world’s fifth-largest PC vendor by 2017 unit sales, according to Gartner— about the breach on January 31, 2019. And perhaps more worryingly, the same techniques were used against software from three other vendors.

Software supply-chain attacks

Importantly, the breach shines a light on the rise of increasingly-sophisticated supply-chain attacks, where malicious software or components are installed on systems in the building process, or afterward via trusted vendor channels.

Commenting on the news, BitSight’s VP Government Affairs, Jake Olcott, said supply chain risk is now “one of the biggest challenges in cyber today”.

“Tech companies issuing remote patching and remote updates to customers are increasingly targeted because of their broad, trusted relationships with their customers,” said Olcott, urging companies to “get a better handle on this risk” through rigorous diligence and continuous monitoring of critical vendors.

Similar thoughts were echoed by Synopsys’ associate principal consultant, Thomas Richards. He said that while chains of trust— which utilize certificate signing to push software updates or patches— are important, they need to be carefully monitored at all times to ensure that that chain of trust isn’t broken.

“Proper monitoring tools and policies should exist which verify software before it is sent to customers,” said Richards.

“This verification should contain an approvals paper trail which will highlight where the software originated from, the purpose, and the individual approvers in the various steps of the chain before the software was published.”

On the ASUS attack, Kaspersky said the level of sophistication matched or even surpasses Shadowpad and CCleaner incidents.

“The reason that it stayed undetected for so long is partly due to the fact that the trojanized updaters were signed with legitimate certificates (eg: “ASUSTeK Computer Inc.”) […] the malicious updaters were hosted on the official liveupdate01s.asus[.]com and liveupdate01.asus[.]com ASUS update servers,” it said.

The company also created a tool which can be run to determine if your computer has been one of the surgically selected targets of this attack.