Fix for Supply Chain Attack Liberated by Asus


The Taiwan-based computer and phone hardware company have released a cure for the recent supply chain cyber-attack a day after cybersecurity researchers came up with the news of a supply chain cyber- attack emphasizing susceptibilities in code signing processes.

As per the Kaspersky Lab’ security researchers, a backdoor was injected into the Asus Live Update utility by the cyber attackers between June and November 2018. More than a million users got affected globally with that backdoor.

According to Reuters, Asus has claimed that only “a small number of devices” had been affected with the malicious code. Also, Asus’s server-to-end-user software had been updated and strengthened in order to prevent similar attacks in future. The hardware company had also provided an online security diagnostic tool through which users could check whether their system was affected or not.

As per the security researchers, Operation ShadowHammer, the newly discovered supply chain cyber-attack happened at Asus Live Update servers was an advanced persistent threat (APT) campaign. Also, they said that this is the most perilous and powerful infection vectors, progressively exploited in high operations in a previous couple of years.

Asus Live Update utility was targeted by the attackers, which is pre-installed utility software that comes in most recent Asus computers for the automatic updates of UEFI, BIOS, applications and drivers.

Attackers tempered with the older versions of the Asus software and injected their malicious code in that software. Trojanised versions of utility software were signed with legit certificates and were distributed from the official Asus servers, said researchers.

Supply chain cyber-attackers chose their victims

Although every potential user of the affected utility software could have been the victims of this supply chain cyber-attack, attackers focused on only those several hundred users, which they had prior information about.

The malicious code was embedded with a table of hard-coded MAC addresses. Once the code ran on the victim’s system, the backdoor code verified its MAC address against the table. If the Mac address tallied with the entries, the next stage of malicious code was downloaded otherwise, no network activity was shown by the updater. And this was the reason that this particular cyber-attack was undiscoverable for such a long period of time.

Attackers identified more than 600 MAC addresses and targeted them with more than 230 unique backdoor samples.

The extra precautions and the advanced approach taken by the attackers while executing code clearly indicates that the attackers wanted to remain undetected while hitting the targets.

Vitaly Kamluk, director of Kaspersky Lab’s APAC global research and analysis team said, “The selected vendors are extremely attractive targets for APT groups that might want to take advantage of their vast customer bases”.

Adding to this, he also said that the goal of the attacker was not very clear and their team is still researching who was behind this supply chain attack. However, the techniques used to achieve the execution of unauthorized code suggests that ShadowHammer is apparently related to the Barium APT.

“Nearly every operating system is dependent on code signing. However, cybercriminals see code signing certificates as a valuable target due to their extreme power”, said Kevin Bocek, vice president of security strategy and threat intelligence, Venafi.