According to researchers at cybersecurity firm Kaspersky Lab, ASUS, one of the world's largest computer manufacturers, was accustomed to unintentionally installing a malicious backdoor on thousands of customers' computers last year after attackers launched a live software update server. Tool the company had placed at risk. The malicious file was signed with legitimate ASUS digital certificates to make it appear as an authentic software update for the company, says Kaspersky Lab.
ASUS, a multi-billion dollar computer hardware company based in Taiwan, manufactures desktops and laptops According to a recent study by the Moscow security firm, mobile phones, smart home systems, and other electronic devices have at least five in the past year For months, the back door was pushed to customers before it was discovered.
Researchers estimate that half a million Windows machines have received the malicious backdoor through the ASUS update server, despite attackers attacking only about 600 of these systems. The malware searched for target systems using their unique MAC addresses. If a malware resides on a system that has found one of these destinations, the malware attacks an attacker-driven command-and-control server, which then installs additional malware on those computers.
Kaspersky Lab claimed to have uncovered the attack in January after adding a new supply chain discovery technology to capture anomalous code snippets hidden in legal code or catch code, the normal operations kidnapped on a machine. The company plans to release a complete technical document and presentation on the ASUS attack it called ShadowHammer next month at its Security Analyst Summit in Singapore. In the meantime, Kaspersky has published some technical details on its website.
"We saw that the updates from the Live Update ASUS server have come down. They were trojanized or maliciously updated and signed by ASUS.
The issue highlights the growing threat of so-called supply chain attacks, where malicious software or components are installed on systems being manufactured or assembled, or later on trusted provider channels: Last year, the US has a task chain for the supply chain to investigate the issue after a series of attacks on the supply chain were uncovered in recent years Implants that are added to hardware or software during manufacturing, software updates for vendors are an ideal way to malware after sales to systems as customers rely on manufacturer updates, especially when signed with a legitimate digital certificate from a manufacturer. "
" This attack shows that the trust model we use, based on well-known manufacturer names and digital validation Signatures based, can not guarantee that you're safe with malware, "said Vitaly Kamluk, director of Kaspersky Lab's Asia-Pacific research and analysis team, who led the research. He points out that ASUS Kaspersky has failed, that its server was attacked and that the malware came out of the network when the researchers contacted the company in January. The download path for the malware samples Kaspersky collected collected the leads directly to the ASUS server, said Kamluk.
The motherboard sent ASUS on Thursday a list of Kaspersky's claims in three separate emails, but has not heard from the company.
Read more: What is an "attack on the supply chain"?
But US security firm Symantec confirmed Kaspersky's findings on Friday after it was asked by Motherboard if any of its customers had even received the malicious download. The company is still investigating the matter, but said in a telephone call that at least 1
"We saw that the update came down from the ASUS server with Live Update. They have been trojanized or maliciously updated and signed by ASUS, "said Liam O & Murchu, Development Director of Symantec's Security Technology and Response Group.
This is not the first time that attackers have used trusted software updates to infect systems. The notorious Flame spyware tool, developed by some of the same attackers behind Stuxnet, was the first known attack that deceived users in this way by hijacking the Microsoft Windows Update Tool on computers to infect computers. Flame, which was discovered in 2012, was signed with an unauthorized Microsoft certificate that led attackers to misuse Microsoft's system. In this case, the attackers did not challenge the Microsoft update server to deploy Flame. Instead, they managed to redirect the software update tool on target client machines so that they contacted an attacker-controlled malicious server instead of the legitimate Microsoft update server.
Two different attacks discovered in 2017 also affected trusted software updates. One of them was the Computer Security Cleanup Tool, known as CCleaner, which distributes malware to customers through a software update. More than 2 million customers received the malicious update before it was discovered. The other incident was the infamous notPetya attack, which in Ukraine was infected by a malicious update of an accounting software package.
Costin Raiu, the company-wide director of Kaspersky's global research and analysis team, said the ASUS attack was different from the others. "I would say that this attack stands out from previous attacks, but is one step higher in complexity and stealthiness. Surgical filtering of targets for their MAC address is one of the reasons why they have remained undetected for so long. If you are not a target, the malware is virtually silent, "he told Motherboard.
But even if muted on non-targeted systems, the malware still gave the attackers a backdoor to any infected ASUS system. 19659003] Tony Sager, Senior Vice President of the Center for Internet Security, who spent years performing defensive vulnerability assessments for the NSA, said the attackers' method of attacking certain computers is strange.
"Supply chain attacks fall into the category "Big deal" is a sign of someone who is careful and has something planned, "he said in a call with motherboard." But if you figure out something that hits tens of thousands of targets, if you're really just going after a few, then it really gets going with a hammer. "
The Kaspersky researchers discovered the malware on a customer's computer on January 29 They created a signature to protect the sc to find harmful update file on other customer systems. They discovered that more than 57,000 Kaspersky customers were infected with it. However, this sacrifice fee applies only to Kaspersky customers. Kamluk said the actual number is likely to be in the hundreds of thousands.
Most Kaspersky customer infected machines (about 18 percent) were in Russia, followed by less in Germany and France. Only about 5 percent of infected Kaspersky customers were in the United States. According to Symantec's O & M Murchu, about 15 percent of the 13,000 machines belonging to its company's infected customers were in the United States.
Kamluk said that Kaspersky informed ASUS about the problem on January 31, and a Kaspersky employee met ASUS personally on February 14. However, he said that the company has largely failed since then and ASUS customers have not have informed about the problem.
The attackers used two different ASUS digital certificates to sign their malware. The first expired in mid-2018, with the attackers subsequently switching to a second legitimate ASUS certificate to subsequently sign their malware.
Kamluk said ASUS continues to use one of the most vulnerable certificates for at least a month to sign its own files After Kaspersky informed the company about the problem, it has since been stopped. However, Kamluk said that ASUS has still not invalidated the two vulnerable certificates. This means that attackers or other people who have access to the unexpired certificate can use it to sign malicious files, and machines view those files as legitimate ASUS files.
This was not the first time that ASUS was accused of compromising the safety of its customers. In 2016, the company was accused by the Federal Trade Commission of misrepresentation and unfair security practices due to multiple vulnerabilities in its routers, cloud backup stores, and firmware update tools that allowed attackers to access customer files and log on to routers Certificates, among others. The FTC claimed that ASUS knew about these vulnerabilities for at least a year before they were resolved and customers were notified, which could endanger nearly one million US router owners. ASUS has settled the case by agreeing to set up and maintain a comprehensive safety program that should be independently audited for 20 years.
The ASUS Live Update Tool, which shipped malware to customers last year, is factory-installed on ASUS laptops and other devices. When users enable it, the tool periodically contacts the ASUS update server to see if firmware or other software updates are available.
"They wanted to achieve very specific goals and already knew in advance their MAC address of the network card, which is very interesting.
The malicious file that was routed to client computers through the tool was called setup.exe and was supposedly an update to the update tool itself. It was actually a three-year-old ASUS update file from 2015 that attackers had infected with malicious code before being signed with a legitimate ASUS certificate. According to Kaspersky Lab, the attackers passed it on to users between June and November 2018. Kamluk said using an old binary file with a recent certificate indicates that attackers had access to the server on which ASUS signs its files, not the build server on which new ones are being created. Because the attackers used the same ASUS binary each time, this indicates they did not have access to the entire ASUS infrastructure, which is only part of the signature infrastructure, Kamluk notes. Legitimate ASUS software updates were still being distributed to customers during the time the malware was pushed out. However, these legitimate updates were signed with another certificate that used improved validation protection, Kamluk said. This makes it harder to fake them.
Kaspersky researchers collected more than 200 samples of the malicious file from customer computers. So they found out that the attack was multi-level and purposeful.
These malicious examples contained hard-coded MD5 hashes that turned out to be unique MAC addresses for network adapter cards. MD5 is an algorithm that creates a cryptographic representation or value for data passing through the algorithm. Each network card has a unique ID or address assigned by the manufacturer of the card, and the attackers created a hash for each MAC address they searched for before encoding those hashes to their malicious file in order to detect the NIC complicate malware did it. The malware had 600 unique MAC addresses searched for, although the actual number of target customers may be larger. Kaspersky can only detect the MAC addresses hard-coded in its malware samples on its customers' computers.
The Kaspersky researchers were able to crack most of the found hashes to determine the MAC addresses that the victims had installed on their computers, but not the victims themselves. Each time the malware infected a computer, it fetched the MAC address from the computer's network card, hashed it, and compared that hash with those hard-coded in the computer if it matched one of the 600 destination addresses was found, the malware turned to asushotfix.com, a site claiming to be a legitimate ASUS site, and picks up a second-level backdoor that it downloaded to this system, and a small number of machines contacted the command-and- Control server, which allowed the malware to stay under the radar.
"You have not tried to attack as many users as possible," Kamluk said They were able to achieve very specific goals and already knew in advance of their network card MAC address, which is very interesting. "
Symantec's O & Murchu said he was not sure yet of being among his company's customers MAC customers are located addresses were on the destination list and received the back door of the second stage.
The Command-and-Control server, which provided the second-stage back door, was registered on May 3 last year, but was shut down in November before Kaspersky discovered the attack. For this reason, the researchers were unable to obtain a copy of the second-stage back door that was made available to the victims, and no victim equipment could be identified that had contacted that server. Kaspersky expects that at least one of its customers in Russia became infected with the second-stage back door when its computer contacted its command and control server on October 29 last year. However, Raiu says that the company does not know the identity of the machine owner to contact and investigate.
There was early evidence that a signed and malicious ASUS update was distributed to users in June 2018 when some people in a Reddit forum posted comments on a suspicious ASUS warning posted on their computers due to " critical "problem emerged. To update. "ASUS strongly recommends installing these updates now," warned the warning.
In a post titled "ASUSFourceUpdater.exe tries to perform a mysterious update, but it is not said what," wrote a user named GreyWolfx. "I received an update popup from an EXE file that I had never seen before today … I'm just curious if anyone knows what this update might be for?"
As he and other users on her ASUS Updater tool clicked to get information about the update, the tool showed that no recent updates were published by ASUS, however, as the file was digitally signed with an ASUS certificate and the file is checked on the VirusTotal. While many sites have accepted the update as legitimate and have downloaded it to their computers, VirusTotal is a website that collects dozens of anti-virus programs and allows users to upload suspicious files to the site to see if they are be recognized as malicious by the tools.
"I have uploaded the [to VirusTotal] executable and it will return without a valid signed file sent, "wrote a user. "The spelling of" force "and the blank detail window are strange, but other ASUS software installed on this system struck me as having strange grammatical errors, so it's not a smoking weapon," he noted.
Kamluk and Raiu This may not be the first time that the attackers beat the ShadowHammer. They said they found similarities between the ASUS attack and those previously carried out by a group called ShadowPad by Kaspersky. ShadowPad was targeted at a Korean company that creates enterprise software for managing servers. The same group was also associated with the CCleaner attack. Although millions of machines were infected with the malicious CCleaner software update, only a portion of these machines were attacked with a second level backdoor, similar to the ASUS casualties. ASUS systems themselves were on the CCleaner list.
The Kaspersky researchers believe that the ShadowHammer attackers were behind the ShadowPad and CCleaner attacks, and the latter attack gave them access to the ASUS servers.
primary targets of the CCleaner attack, "Raiu said. "One of the options we are considering is the way they originally got into the ASUS network, and later they managed to use the access to launch the ASUS attack."
CYBER Motherboards new weekly podcast on hacking and cybersecurity.