Backdoors added to ASUS computers through its software update platform resulted in what Kaspersky researchers are calling one of the largest supply chain incidents ever, “ShadowHammer,” which even surpassed the scope of the CCleaner attack.
Researchers estimated malware was distributed to nearly a million people, although the cybercriminals appeared to have only targeted 600 specific MAC addresses for which hashes were hardcoded into different versions of the utility.
“A threat actor modified the ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility, and then distributed it to users through official channels,” Kaspersky researchers said in a report. “The trojanized utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time.”
Researchers also noted the same techniques were used against software from three other unnamed vendors which have since been notified along with ASUS. In the meantime, users should update the ASUS Live Update Utility, researchers recommended.
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said cybercriminals see code signing certificates as a valuable target due to their extreme power.
“Code signing certificates are used to establish which updates and machines should be trusted, and they are in the applications that power cars, laptops, planes and more,” Bocek said. “Nearly every operating system is dependent on code signing, and we will see many more certificates in the near future due to the rise of mobile apps, DevOps and IoT devices.”
Bocek added that unfortunately, many organizations rely on developers who aren’t prepared to defend these assets, to protect the code signing process and that most security teams don’t even know if their developers are using code signing or who may have access to the code signing process.
“It’s imperative for organizations to know what code-signing certificates they have in use and where, especially as it’s likely we’ll see similar attacks in the future,” Bocek said.
BitSight Vice President Jake Olcott said supply chain risk presents one of the biggest cybersecurity challenges today.
“Tech companies issuing remote patching and remote updates to customers are increasingly targeted because of their broad, trusted relationships with their customers,” Olcott said. “Companies must conduct more rigorous diligence and continuously monitor these critical vendors in order to get a better handle on this risk.”
Mark Orlando, CTO, cyber protection solutions, at Raytheon Intelligence, said that it may be what we don’t yet know that makes the attack more interesting.
Please register to continue.
Already registered? Log in.
Once you register, you'll receive:
The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.
Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.
SC Media’s essential morning briefing for cybersecurity professionals.
One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.