It’s the sort of thing you never want to happen. Researchers from Kaspersky Lab found that hackers had infiltrated ASUS, one of the biggest computer manufacturers in the world, and masked a backdoor “ShadowHammer” trojan as a legitimate update that was then pushed out to users through the ASUS Live Update tool.
ASUS has officially responded to the claims, releasing a diagnostic for users to check their machines and new security patches to fix affected laptops.
According to the researchers, the supply chain attack used stolen digital certificates to mask the malware as legitimate ASUS updates, which were then distributed through the ASUS Live Update tool that comes pre-installed on ASUS machines. Based on their statistics, around 57,000 Kaspersky users on ASUS machines had downloaded and installed the compromised version of ASUS Live Update at some stage between June and November of last year. Kaspersky was only able to calculate users affected that had Kaspersky anti-virus software installed, but they asserted that “the real scale of the problem” could have affected up to a million ASUS machines worldwide.
Kaspersky notified ASUS of their findings on January 31 this year, and Motherboard – which originally reported the findings – contacted ASUS for a response last week asking for a response to the researchers’ claims. Kotaku Australia contacted ASUS’s local team on Tuesday asking for a reply, and was told that an official announcement would be made later that day.
An official response has appeared on the ASUS website this morning, with the Taiwanese manufacturer saying the attack came from “Advanced Persistent Threat” groups that are typically run by nation states. “Advanced Persistent Threat (APT) attacks are national-level attacks usually initiated by a couple of specific countries, targeting certain international organisations or entities instead of consumers,” the company said.
ASUS disputes the numbers of machines affected, saying that “only a very small number of specific user group were found to have been targeted by this attack”.
“A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group,” ASUS wrote, without providing details about that user group.
The post doesn’t completely challenge some of Kaspersky’s claims, however. The researchers claimed the attack compromised up to a million PCs, but noted the hackers responsible were mostly focused on targeting select machines.
While this means that potentially every user of the affected software could have become a victim, actors behind ShadowHammer were focused on gaining access to several hundreds of users, which they had prior knowledge about. As Kaspersky Lab’s researchers discovered, each backdoor code contained a table of hardcoded MAC addresses – the unique identifier of network adapters used to connect a computer to a network. Once running on a victim’s device, the backdoor verified its MAC address against this table.
If the MAC address matched one of the entries, the malware downloaded the next stage of malicious code. Otherwise, the infiltrated updater did not show any network activity, which is why it remained undiscovered for such a long time. In total, security experts were able to identify more than 600 MAC addresses. These were targeted by over 230 unique backdoored samples with different shellcodes.
Kaspersky researchers are due to present more of their findings on Operation ShadowHammer at the Security Analyst Summit 2019 in Singapore next month. The company has also established a website for users to check whether any MAC addresses in their machines are compromised.