On Monday, we saw again how criminals can take advantage of trust and use it as a weakness.
Kaspersky Lab reported that one of the world's largest computer manufacturers, Taiwan-based ASUS, had mistakenly installed a backdoor program called "ShadowHammer" on the computers of thousands of hackers infiltrated the company's automated software update system.
Experts providing initial estimates estimate that the trojanized update could affect up to half a million Windows machines. Kaspersky reported that 57,000 users were attacked by ASUS products, "but we estimate that it was distributed to approximately 1
The attacker's motive remains unclear, but Kaspersky noted that 600 MAC addresses were deliberately attacked, even though the malicious update was far more affected.
Gizmodo has reached ASUS for comment and we will update it as soon as one is provided. The motherboard that broke the news said it had contacted ASUS only on Thursday, but had not received a response yet.
ShadowHammer is an attack on the supply chain – when hackers attack targets by injecting malicious code into the hijacked software third-party update. On average, companies are much less suspicious of these updates because they are provided by vendors whose software is already trusted. Applying updates is also something IT pros should do right away as they regularly include security patches to make a product more secure.
This form of transitive trust is becoming increasingly dangerous as supply chain attacks grow Multiple analysis by the end of 2018 on the evolving threat landscape described. For example, Symantec found that supply chain attacks had increased by 78 percent year-on-year. Notable incidents included CCleaner, a widely used security clean-up tool, and notPetya, which injected a payload into the Ukrainian accounting software.
As the malicious file with the digital certificates was signed by ASUS and distributed through official channels, the Director of Research and Analysis at Kaspersky told motherboard that the incident illustrates "that the trust model we used was based on well-known manufacturer names and validating digital signatures, can not guarantee that you are protected against malware. "
ASUS 'website found ASUS already has the Federal Trade Commission (FTC) charges for vulnerabilities in its routers – deficiencies who were accused of being hidden from consumers a year or more ago – had been matched by pledging to "establish and maintain a comprehensive safety program that would be independent audits for the next 20 years."
It is still too early to say whether the FTC is taking action and investigating it or whether e s is considered a violation of the previous order. (The FTC Act authorizes the Commission to request civil sanctions and / or injunctions if companies breach such agreements.)
"In investigating this attack, we found that the same techniques were used against software from three other vendors were. Of course, we have informed ASUS and other companies about the attack, "Kaspersky said, adding that the update was immediately recommended to anyone using the ASUS Live Update Utility.
A technical release revealing more about ShadowHammer is being released , during the summer of Kaspersky Security Analyst next month.