Attackers infected millions of ASUS computers, the world’s fifth largest computer vendor. Dubbed ‘ShadowHammer’, researchers are calling this the largest supply chain incident in history. Security researchers at Kaspersky first discovered the attack this January. They found that the attack took place between June and November of last year.
The malware was spread through the ASUS Live Update; a utility used to update applications such as the BIOS and UEFI. Attackers created a backdoor file which was signed with authentic ASUS certificates.The update was located in ASUS update servers. ASUS users then had to go in their machines and download the updates.
According to Kaspersky, a million users were affected by the attack. Over 57,000 Kaspersky users installed the backdoor. Malicious actors specifically targeted about 600 users worldwide through their MAC addresses. The malware looked for the specific MAC addresses. Once the address was located the malware notified the attackers through a command-and-control server. The attackers then installed additional malware on those computers.
“To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.”
Kaspersky notified ASUS of the attack on January 31, 2019. ASUS this week released a new version of the live update, ASUS Version 3.6.8. This version prevents manipulation of software updates, introduces enhanced end-to-end encryption, and hardens the server-to-end-user software architecture. ASUS also released a online security diagnostic tool that checks for affected machines.
Further, ASUS recommends all users affected by the attack to run a backup of all files and then restore their machines to factory settings. Doing this will remove the malware.
Contact LIFARS immediately if your organization was hit