Asus backdoor hits targets with officially signed update

Security researchers discovered a malicious backdoor being spread through the official Asus Live Updater, but the number of infected systems is unclear.

Researchers at Kaspersky Lab said a "sophisticated" supply chain attack, which it calls ShadowHammer, took place between June and November 2018. Threat actors hijacked the Asus Live Update software to deliver a malicious backdoor to users via officially signed software.

Kaspersky Lab said "over 57,000 Kaspersky users have downloaded and installed" the Asus backdoor, but estimated it could ultimately affect "over a million users worldwide." Motherboard, which first reported the story, said researchers estimated half a million systems were infected. However, Asus downplayed the issue and said only "a very small number of devices have been implanted" with the backdoored software.

Despite the discrepancy, Kaspersky Lab said the aim of the Asus backdoor was to target a much smaller subset of those infected by the Trojanized updater.

"The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters' MAC [media access control] addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation," Kaspersky wrote in a blog post. "We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list."

Costin Raiu, director of Kaspersky Lab's global research and analysis team, added on Twitter that the Asus backdoor checked both the network interface card and Wi-Fi adapters to identify the targeted victims.

Matt Blaze, associate professor of computer and information science at the University of Pennsylvania, found the inclusion of MAC addresses to be a confusing piece of the Asus backdoor.

"An interesting question is how the ASUS attacker got the MAC addresses to target. MAC addresses aren't generally exposed across the 'net. This suggests they either already had visibility into the target's network or they had some way to map ASUS machines to specific customers," Blaze wrote on Twitter. "Embedding the MAC addresses in the malware was a curious choice. An advantage of deploying the attack software to everyone through the update mechanism is that it obscures who the true targets are. But exposing the list of addresses this way destroys that advantage."

Kaspersky Lab said there was evidence to attribute the attacks to the Barium advanced persistent threat group who was behind the ShadowPad incident in 2017 -- a similar attack that hijacked a vendor's software supply chain in order to deliver malware.  

Kaspersky Lab said it informed Asus about the attacks on Jan. 31, 2019. The Motherboard story added that Kaspersky Lab and Asus met in person on Feb. 14, but Asus was "largely unresponsive" after that.

Vitaly Kamluk, Asia-Pacific director of Kaspersky Lab's global research and analysis team, told Motherboard that the Asus backdoor was signed with legitimate certificates from AsusTek, and the certificates were still valid at the time of the initial report on Monday, March 25.

Asus did not respond to requests for comment. But, on March 26, Asus announced a patch and preventative measures to avoid future issues.

"ASUS customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed," Asus wrote in a statement. "ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future."

Asus added that it developed a tool to determine if the backdoored software was on a user's system, and Kaspersky Lab created a tool to check if a system's MAC address matches one of those targeted by the threat actors.

Kaspersky said it will present additional research about the ShadowHammer attack at its 2019 Security Analyst Summit in Singapore next month.