On March 25, cybersecurity firm Kaspersky Labs reported that it had found an Advanced Persistent Threat (APT) directed at ASUS computers, in the form of a modification to ASUS’s own Live Update Utility. The actor(s) reportedly “modified the ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility, and then distributed it to users through official channels.”
In addition, the modified utility – which Kaspersky dramatically labeled “ShadowHammer” —
was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time. The criminals even made sure the file size of the malicious utility stayed the same as that of the original one.
Kaspersky calculated that more than 57,000 users of its products had installed the backdoored utility, and estimated that it was distributed to a total of approximately 1 million people. It also reported that the attacker(s) “targeted only 600 specific MAC addresses, for which the hashes were hardcoded into different versions of the utility.” Finally, Kaspersky stated that while investigating this attack, it found “that the same techniques were used against software from three other vendors,” and notified ASUS and other companies about the attack.
ASUS has since responded, according to TechRadar, that “[a] small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group.” It should be noted, however, that another leading cybersecurity firm, Symantec, stated that based on its telemetry, at least 13,000 computers received the malicious updates, and that those victims — 80 percent consumers and 20 percent organizations – were evenly distributed around the world.
ASUS further stated that it had implemented a fix in the latest version of the Live Update software that implements “an enhanced end-to-end encryption mechanism,” and that it had updated and strengthened its server-to-end-user software architecture to prevent similar attacks in the future. ASUS also has made available a page that shows users how to ensure that they are getting the latest and safest version of Live Update Utility.
Note: Kaspersky’s assessment on SecureList that ShadowHammer is “a very sophisticated supply chain [malware] attack” appears reasonable. Prior supply-chain attacks that Kaspersky compared to ShadowHammer, such as ShadowPad and CCleaner in 2017, evidently were less complex and sophisticated in execution.
Accordingly, corporate information-security and compliance teams, even in companies that do not provide ASUS computers to its employees, should disseminate information about ShadowHammer internally, as an example of the more sophisticated APTs that may be directed at their systems. They should also use this incident as a talking point with all of the third-party providers of hardware and cybersecurity products to their companies, to get current information on what those companies are doing to minimize the risk of sophisticated APTs such as ShadowHammer, ShadowPad, and CCleaner infecting their systems.