Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers vice.com
Researchers at cybersecurity firm Kaspersky Lab say that ASUS, one of the global’s biggest computer makers, became used to unwittingly installation a malicious backdoor on hundreds of its clients’ computer systems ultimate yr after attackers compromised a server for the business enterprise’s stay software update tool. The malicious report became signed with valid ASUS digital certificates to make it seem like an authentic software replace from the enterprise, Kaspersky Lab says.
ASUS, a multi-billion greenback laptop hardware company based in Taiwan that manufactures desktop computer systems, laptops, cell phones, smart home systems, and different electronics, became pushing the backdoor to customers for as a minimum five months ultimate 12 months earlier than it was discovered, in keeping with new studies from the Moscow-primarily based security company.
The researchers estimate 1/2 a million Windows machines obtained the malicious backdoor via the ASUS replace server, although the attackers seem to have been concentrated on most effective about 600 of those structures. The malware searched for targeted systems thru their unique MAC addresses. Once on a gadget, if it found the sort of centered addresses, the malware reached out to a command-and-control server the attackers operated, which then hooked up additional malware on the ones machines.
Kaspersky Lab said it uncovered the assault in January after including a brand new deliver-chain detection era to its scanning tool to catch anomalous code fragments hidden in legitimate code or catch code that is hijacking everyday operations on a machine. The enterprise plans to launch a complete technical paper and presentation about the ASUS assault, which it has dubbed ShadowHammer, next month at its Security Analyst Summit in Singapore. In the interim, Kaspersky has published a number of the technical info on its website.
“We noticed the updates come down from the Live Update ASUS server. They were trojanized, or malicious updates, and that they had been signed by means of ASUS."
The issue highlights the growing chance from so-known as supply-chain attacks, wherein malicious software program or additives get mounted on structures as they’re manufactured or assembled, or later on thru relied on vendor channels. Last year the United States released a supply chain venture force to look at the problem after some of deliver-chain attacks have been uncovered in latest years. Although maximum interest on deliver-chain attacks focuses on the potential for malicious implants to be added to hardware or software program in the course of production, vendor software program updates are a great way for attackers to supply malware to systems after they’re offered, due to the fact customers trust vendor updates, specifically in the event that they’re signed with a supplier’s valid digital certificate.
“This assault indicates that the trust model we're using based totally on regarded seller names and validation of virtual signatures cannot assure that you are safe from malware,” said Vitaly Kamluk, Asia-Pacific director of Kaspersky Lab’s Global Research and Analysis Team who led the research. He referred to that ASUS denied to Kaspersky that its server was compromised and that the malware got here from its community while the researchers contacted the organisation in January. But the download direction for the malware samples Kaspersky accumulated leads at once lower back to the ASUS server, Kamluk said.
Motherboard sent ASUS a listing of the claims made by Kaspersky in three separate emails on Thursday but has not heard returned from the enterprise.
Read greater: What Is a 'Supply Chain Attack?'
But the United States-based totally safety company Symantec showed the Kaspersky findings on Friday after being asked by means of Motherboard to peer if any of its clients additionally obtained the malicious download. The enterprise continues to be investigating the problem however said in a cellphone name that as a minimum thirteen,000 computer systems belonging to Symantec customers were inflamed with the malicious software update from ASUS remaining 12 months.
“We saw the updates come down from the Live Update ASUS server. They have been trojanized, or malicious updates, and they had been signed by means of ASUS,” stated Liam O’Murchu, director of improvement for the Security Technology and Response organization at Symantec.
This is not the primary time attackers have used depended on software program updates to infect structures. The infamous Flame undercover agent tool, developed with the aid of a number of the equal attackers behind Stuxnet, changed into the first known attack to trick users on this manner by using hijacking the Microsoft Windows updating tool on machines to infect computers. Flame, discovered in 2012, turned into signed with an unauthorized Microsoft certificates that attackers tricked Microsoft’s device into issuing to them. The attackers in that case did now not honestly compromise Microsoft’s update server to supply Flame. Instead, they had been capable of redirect the software update device on the machines of targeted customers in order that they contacted a malicious server the attackers controlled instead of the valid Microsoft replace server.
Two distinctive assaults located in2019 additionally compromised relied on software program updates. One worried the pc protection cleanup tool called CCleaner that changed into delivering malware to customers thru a software replace. More than 2 million clients acquired that malicious update before it changed into determined. The other incident concerned the infamous notPetya attack that began in Ukraine and infected machines thru a malicious update to an accounting software program package.
Costin Raiu, organization-extensive director of Kaspersky’s Global Research and Analysis Team, stated the ASUS assault isn't the same as these others. “I’d say this attack sticks out from previous ones even as being one stage up in complexity and stealthiness. The filtering of objectives in a surgical manner via their MAC addresses is one of the motives it stayed undetected for see you later. If you are not a target, the malware is in reality silent,” he advised Motherboard.
But although silent on non-targeted systems, the malware still gave the attackers a backdoor into every infected ASUS device.
Tony Sager, senior vice president at the Center for Internet Security who did shielding vulnerability evaluation for the NSA for years, stated the technique the attackers chose to goal precise computer systems is extraordinary.
“Supply chain attacks are in the ‘massive deal’ class and are a signal of someone who is careful approximately this and has accomplished some planning,” he informed Motherboard in a phone name. “But setting some thing out that hits tens of heaps of goals when you’re genuinely going best after a few is truly going after some thing with a hammer.”
Kaspersky researchers first detected the malware on a patron’s system on January 29. After they created a signature to locate the malicious replace document on different purchaser structures, they determined that extra than 57,000 Kaspersky clients had been infected with it. That sufferer toll most effective money owed for Kaspersky customers, but. Kamluk said the real wide variety is probable inside the hundreds of thousands.
Most of the inflamed machines belonging to Kaspersky customers (approximately 18 percentage) had been in Russia, followed by using fewer numbers in Germany and France. Only approximately 5 percent of infected Kaspersky clients have been in the United States. Symantec’s O’Murchu said that about 15 percentage of the 13,000 machines belonging to his business enterprise’s infected customers were within the U.S.
Kamluk said Kaspersky notified ASUS of the hassle on January 31, and a Kaspersky worker met with ASUS in character on February 14. But he stated the corporation has been largely unresponsive considering the fact that then and has no longer notified ASUS clients about the issue.
The attackers used two exceptional ASUS virtual certificate to sign their malware. The first expired in mid-2018, so the attackers then switched to a 2nd valid ASUS certificates to signal their malware after this.
Kamluk said ASUS persevered to apply one of the compromised certificate to signal its own files for at the least a month after Kaspersky notified the corporation of the problem, even though it has considering the fact that stopped. But Kamluk stated ASUS has nonetheless no longer invalidated the 2 compromised certificate, this means that the attackers or every person else with access to the un-expired certificate ought to still sign malicious files with it, and machines might view those documents as valid ASUS documents.
This would not be the first time ASUS turned into accused of compromising the security of its customers. In2019, the enterprise changed into charged by means of the Federal Trade Commission with misrepresentation and unfair safety practices over multiple vulnerabilities in its routers, cloud back-up storage and firmware update device that might have allowed attackers to benefit access to consumer documents and router log-in credentials, among other matters. The FTC claimed ASUS knew approximately the ones vulnerabilities for as a minimum a 12 months earlier than solving them and notifying clients, putting nearly 1,000,000 US router owners at risk of assault. ASUS settled the case by using agreeing to establish and maintain a complete security program that might be challenge to impartial audit for 20 years.
The ASUS stay update tool that added malware to clients closing 12 months is installed on the manufacturing facility on ASUS laptops and other gadgets. When customers permit it, the device contacts the ASUS update server periodically to look if any firmware or other software program updates are available.
“They desired to get into very unique objectives and they already knew in advance their community card MAC address, that is pretty interesting.”
The malicious document driven to purchaser machines via the device became called setup.exe, and speculated to be an update to the replace device itself. It turned into absolutely a 3-year-antique ASUS replace file from2019 that the attackers injected with malicious code before signing it with a legitimate ASUS certificate. The attackers seem to have driven it out to customers among June and November2019, in step with Kaspersky Lab. Kamluk said the usage of an vintage binary with a contemporary certificate suggests the attackers had get admission to to the server in which ASUS symptoms its files but now not the actual construct server wherein it compiles new ones. Because the attackers used the identical ASUS binary each time, it indicates they didn’t have get right of entry to to the entire ASUS infrastructure, simply a part of the signing infrastructure, Kamluk notes. Legitimate ASUS software updates nevertheless were given pushed to customers during the period the malware was being driven out, but those valid updates were signed with a extraordinary certificates that used enhanced validation protection, Kamluk said, making it greater difficult to spoof.
The Kaspersky researchers amassed greater than two hundred samples of the malicious document from client machines, which is how they observed the attack changed into multi-staged and focused.
Buried in the ones malicious samples were hard-coded MD5 hash values that grew to become out to be unique MAC addresses for community adapter cards. MD5 is an set of rules that creates a cryptographic illustration or price for data this is run via the set of rules. Every community card has a unique ID or address assigned by way of the producer of the card, and the attackers created a hash of each MAC address it turned into seeking before tough-coding those hashes into their malicious document, to make it more hard to see what the malware become doing. The malware had 600 particular MAC addresses it become seeking, although the real number of focused clients can be large than this. Kaspersky can handiest see the MAC addresses that had been tough-coded into the unique malware samples located on its customers’ machines.
Image: Shutterstock
The Kaspersky researchers have been capable of crack maximum of the hashes they observed to determine the MAC addresses, which helped them become aware of what network playing cards the victims had set up on their machines, however now not the sufferers themselves. Any time the malware inflamed a machine, it collected the MAC deal with from that gadget’s network card, hashed it, and as compared that hash towards the ones hard-coded in the malware. If it observed a healthy to any of the 600 targeted addresses, the malware reached out to asushotfix.com, a website masquerading as a legitimate ASUS site, to fetch a 2nd-degree backdoor that it downloaded to that system. Because handiest a small number of machines contacted the command-and-manipulate server, this helped the malware stay below the radar.
“They were not trying to target as many users as possible,” said Kamluk. “They desired to get into very unique objectives and they already knew in advance their community card MAC address, that is pretty interesting.”
Symantec’s O’Murchu said he’s not positive but if any of his business enterprise’s customers have been among those whose MAC addresses were on the goal listing and received the second-level backdoor.
The command-and-manipulate server that introduced the second-level backdoor become registered May 3 remaining year but turned into shut down in November earlier than Kaspersky located the assault. Because of this, the researchers had been unable to reap a copy of the second one-degree backdoor pushed out to sufferers or perceive sufferer machines that had contacted that server. Kaspersky believes as a minimum one in every of its clients in Russia got infected with the second-stage backdoor while his gadget contacted the command-and-manipulate server on October 29 final yr, however Raiu says the employer doesn’t know the identification of the device’s owner if you want to touch him and inspect in addition.
There were early pointers that a signed and malicious ASUS update was being pushed to users in June2019, whilst a number of human beings posted feedback in a Reddit forum approximately a suspicious ASUS alert that popped up on their machines for a “essential” update. “ASUS strongly recommends that you install those updates now,” the alert warned.
In a post titled “ASUSFourceUpdater.exe is making an attempt to do a little mystery replace, however it won't say what,” a person named GreyWolfx wrote, “I were given an update popup from a .exe that I had by no means seen earlier than these days….I’m just curious if everybody is aware of what this replace would probably be for?”
When he and other users clicked on their ASUS updater device to get facts about the update, the device confirmed no latest updates were issued from ASUS. But due to the fact the document turned into digitally signed with an ASUS certificates and because scans of the report on the VirusTotal web web site indicated it became no longer malicious, many normal the replace as legitimate and downloaded it to their machines. VirusTotal is a domain that aggregates dozens of antivirus applications; customers can add suspicious files to the site to see if any of the tools discover it as malicious.
“I uploaded the executable [to VirusTotal] and it comes returned as a validly signed record with out difficulty,” one consumer wrote. “The spelling of 'pressure' and the empty details window are certainly extraordinary, however I observed unusual grammar mistakes in different ASUS software program mounted in this machine, so it is no longer a smoking gun via itself,” he mentioned.
Kamluk and Raiu said this may no longer be the primary time the ShadowHammer attackers have struck. They said they observed similarities among the ASUS assault and ones previously carried out through a group dubbed ShadowPad via Kaspersky. ShadowPad focused a Korean organization that makes business enterprise software for administering servers; the equal institution become additionally connected to the CCleaner assault. Although tens of millions of machines had been infected with the malicious CCleaner software update, best a subset of these got centered with a second degree backdoor, similar to the ASUS sufferers. Notably, ASUS systems themselves had been on the targeted CCleaner list.
The Kaspersky researchers believe the ShadowHammer attackers had been behind the ShadowPad and CCleaner attacks and obtained get right of entry to to the ASUS servers thru the latter attack.
“ASUS become one of the primary targets of the CCleaner assault,” Raiu said. “One of the opportunities we are taking into account is that’s how they intially got into the ASUS network after which later through persistence they managed to leverage the get admission to … to launch the ASUS assault.”
Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.
Let's block commercials! (Why?)
//motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software program-updates-to-install-backdoors-on-lots-of-computers
2019-03-25 15:33:57Z
52780250191190
0 Response to "Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers vice.com"
Post a Comment