ASUS software update hacked and used to spread a malware
Do you remember the CCleaner hack? It was one of the most profitable cyber-attacks in history: in September 2017, it managed to infect the systems of about 2.3 million users simply by using the software's backdoor. Well, a few weeks ago, something similar happened. In fact, researchers unearthed another, huge chain attack that compromised more than 1 million ASUS computers.
ASUS software hacking: what happened?
Last year, a group of hackers managed to take over the ASUS Live automatic software update before the famous manufacturer released it between June and November 2018. The update was exploited to install a backdoor on more than a million Windows-based computers.
According to Kaspersky Lab security researchers, who were the first to discover the attack and dubbed it Operation ShadowHammer, ASUS was informed of the incident as early as late January.
After analyzing more than 200 samples of infected updates, the researchers came to the conclusion that the attack was not generalized, but rather there was a very specific list of users identifiable by MAC addresses that had been entered into the malware. "We were able to extract over 600 unique MAC addresses from more than 200 samples involved in the attack. Of course, there could be others with different addresses," the researchers pointed out.
Just like in the case of the CCleaner and ShadowPad attacks, the malicious file was given the official ASUS digital branding, so that it appeared to come directly from the manufacturer, gaining the trust of users and the antivirus system, which, in the cyber criminals' plans, would not detect the anomaly for quite some time.
Researchers were unable to link the attack to any group known for ATP-type attacks, however, the evidence seems to offer similarities to the ShadowPad case from 2017, whose culprits were identified in the BARIUM APT group. "Recently, our colleagues at ESET told us about another blockchain attack in which the BARIUM group was found to be involved, and we believe it also has something to do with our case," the Kaspersky researchers said.
About 57 thousand Kaspersky users reportedly installed the infected ASUS update. "We are not able to calculate the total number of users affected by the attack, at least not based only on the data in our possession; however, it is reasonable to think that it could be as high as one million," the researchers specified.
The proof that they are right lies in the fact that Symantec detected the malware in more than 13 thousand of the systems using the eponymous antivirus. Most of the affected Kaspersky users live in Russia, Germany, France, Italy, and the United States, but the malware has spread worldwide. Kaspersky immediately informed ASUS and other antivirus manufacturers, but the investigation into the matter is still ongoing.
For those of you who have an ASUS and use Kaspersky, the manufacturer has released a tool that helps users find out if their computer has been attacked by ShadowHammer.
Swascan Marketing Team
.