Backdoors added to ASUS computers through its software update platform resulted in what Kaspersky researchers are calling one of the largest supply chain incidents ever, “ShadowHammer,” which even surpassed the scope of the CCleaner attack.
Researchers estimated malware was distributed to nearly a million people, although the cybercriminals appeared to have only targeted 600 specific MAC addresses for which hashes were hardcoded into different versions of the utility.
“A threat actor modified the ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility, and then distributed it to users through official channels,” Kaspersky researchers said in a report. “The trojanized utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time.”
Researchers also noted the same techniques were used against software from three other unnamed vendors which have since been notified along with ASUS. In the meantime, users should update the ASUS Live Update Utility, researchers recommended.
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said cybercriminals see code signing certificates as a valuable target due to their extreme power.
“Code signing certificates are used to establish which updates and machines should be trusted, and they are in the applications that power cars, laptops, planes and more,” Bocek said. “Nearly every operating system is dependent on code signing, and we will see many more certificates in the near future due to the rise of mobile apps, DevOps and IoT devices.”
Bocek added that unfortunately, many organizations rely on developers who aren’t prepared to defend these assets, to protect the code signing process and that most security teams don’t even know if their developers are using code signing or who may have access to the code signing process.
“It’s imperative for organizations to know what code-signing certificates they have in use and where, especially as it’s likely we’ll see similar attacks in the future,” Bocek said.
BitSight Vice President Jake Olcott said supply chain risk presents one of the biggest cybersecurity challenges today.
“Tech companies issuing remote patching and remote updates to customers are increasingly targeted because of their broad, trusted relationships with their customers,” Olcott said. “Companies must conduct more rigorous diligence and continuously monitor these critical vendors in order to get a better handle on this risk.”
Mark Orlando, CTO, cyber protection solutions, at Raytheon Intelligence, said that it may be what we don’t yet know that makes the attack more interesting.
“Kaspersky’s investigation identified 600 MAC addresses – a unique identifier assigned to each networked device – hard coded into ASUS’ backdoored update utility,” Orlando said. “This indicates that the wide-reaching attack was launched for the purpose of targeting a relatively small number of very specific devices. It also implies that the attack is part of a multi-phased campaign that builds upon targeted reconnaissance of those devices.”
Orlando added that regardless of the attackers’ ultimate goal, we know that these kinds of supply chain attacks are growing in number and can compromise huge numbers of devices in a way that is difficult to detect.
To combat the growing threat, he said organizations should take a hard look at supply chain security, and specifically software update security, in light of this report.
“Compromised updates that are digitally signed and come from a trusted source will probably evade signature-based defenses like anti-virus; the best defenses are a shift towards proactive analysis (e.g. threat hunting) and tougher scrutiny of third-party software,” Orlando said.