قالب وردپرس درنا توس
Home https://server7.kproxy.com/servlet/redirect.srv/sruj/smyrwpoii/p2/ Technology https://server7.kproxy.com/servlet/redirect.srv/sruj/smyrwpoii/p2/ Hackers took updates from ASUS software to install Backdoors on thousands of computers

Hackers took updates from ASUS software to install Backdoors on thousands of computers



Researchers from the Kaspersky Lab Cyber ​​Security Company claim that ASUS, one of the world's largest computer manufacturers, was used to accidentally install a malicious loophole on thousands of computers for its customers last year after the attackers compromised a server software update software,

ASUS, a multi-billion-dollar Taiwan-based computer hardware company that manufactures desktops, laptops, and mobile phones, smart home systems and the other lecturers have pushed the doors to their clients for at least five months last year before being discovered, according to new research by the Moscow security firm. Researchers believe that half a million Windows machines have received the malicious backdoor via the ASUS update server, although the attackers have targeted their efforts to only 600 of these systems. Malware searches for target systems through their unique MAC addresses. Once in the system, if one of these destination addresses is found, the malicious software reaches the control and control server the attackers have managed, and then installs additional malware on those machines.

Kaspersky Lab said it discovered the attack in January after adding a new supply chain detection technology to capture anomalous code snippets hidden in the legitimate code or capture code that hijacks normal machine operations . The company plans to release a full technical document and a presentation on ASUS's attack, which she called ShadowHammer, next month at its Singapore Summit. Meanwhile, Kaspersky has published some of the technical details on its website.

"We saw that updates are downloaded from ASUS Live Update Server. These were trojan or malicious updates and were signed by ASUS. "

The issue highlights the growing threat of so-called attacks in the supply chain where malware or components are installed on systems as they are manufactured or assembled Last year, the US launched a supply chain task force to investigate the issue, since a number of attacks have been identified in the supply chain in recent years, implants that need to be added to hardware or software during production, software vendor updates are the ideal way to attackers deliver malware to systems after they are sold because customers trust vendor updates, especially if they are signed with the seller's legal digital certificate

"This attack shows that the trust model we use for based on known vendors' names and validation of digital signatures, can not guarantee that you are a safe Malware, "said Vitaly Kampl, Asia Pacific Director of Global Kaspersky Lab's global research and analysis team, who runs the survey. He noted that ASUS had denied Kaspersky that his server was compromised and malicious software came from his network when the researchers contacted the company in January. But the malware download path collected by Kaspersky leads directly to the ASUS server, Kamluk said.

The motherboard sent ASUS a list of claims made by Kaspersky in three separate emails on Thursday, but has not been heard by the company.

Read more: What is a "supply chain"?

But the US-based security company Symantec confirmed Kaspersky's findings on Friday after being asked by the motherboard to see if any of his clients also received the malicious download. The company is still investigating the matter, but said in a telephone conversation that at least 1

3,000 PCs belonging to Symantec customers were infected with the update of the malware from ASUS last year.

"We saw that the updates were released from ASUS Live Update Server, They were Trojan or Malicious Updates and were signed by ASUS," said Liam O'Mourchou, Director of Technology Development and Response Security Symantec.

This is not the first time the attackers have used reliable software updates to infect the systems. The flawed spyware tool developed by the same attackers behind Stuxnet is the first known attack that misleads users in a way that robbers the Microsoft Windows Update tool on machines to infect computers. The flame discovered in 2012 was signed with an unauthorized Microsoft certificate that the attackers tricked the Microsoft system to release them. The attackers in this case did not actually compromise Microsoft's update server to deliver Flame. Instead, they were able to redirect the software update tool to the target customer's machines to connect to a malicious server that the attackers controlled instead of the legitimate Microsoft update server.

Two different attacks detected in 2017 also threatened reliable software updates. One included the Computer Security Cleanup Tool, known as CCleaner, which delivered malware to customers by updating the software. More than 2 million customers have received this malicious update before they are found. The other incident is related to the scandalous attack of NotPeta, which began in Ukraine and infected machines through a malicious update of an accounting software package.

Costin Raiu, Global Kaspersky Global Research and Analysis team director, said ASUS attack is different from the others. "I would say that this attack stands out from the previous while it is on a level of complexity and cunning. Filtering targets in a surgical way from their MAC addresses is one of the reasons to stay undetected for so long. If you're not the target, the malicious software is almost silent, he said on the motherboard.

But while silent about non-target systems, malicious software still gives attackers the backdoor in every infected ASUS system.

Tony Sager, senior vice president of the Internet Security Center who has been defending vulnerability analysis for the NSA for years, said the method the attackers chose to target to specific computers is strange. "Attacks in the supply chain are in the" big deal "category and are a sign of someone who is careful about this and has made some planning," he said on the motherboard during a phone call. "But putting something that hits tens of thousands of targets when you really go, only after some really do something with a hammer."

Kaspersky researchers first discovered the malicious software on the client's machine on January 29th. have created a signature to find the malicious file to update other client systems, they found that more than 57,000 Kaspersky customers were infected with it. This victim, however, accounts only for Kaspersky's customers. Kamluk said the actual number is probably hundreds of thousands

Most of the infected machines belonging to Kaspersky's customers (about 18%) are in Russia, followed by fewer numbers in Germany and France. Only about 5% of Kaspersky's infected customers were in the US. Oracle Murchu of Symantec said that about 15% of the 13,000 machines belonging to his company's infected clients were in the United States

Kamluk said Kaspersky had notified ASUS of the problem on January 31, and an employee of Kaspersky has personally met ASUS on February 14th. But he said that since then, the company has largely failed to react and has not notified ASUS customers of the problem.

Attackers use two different ASUS digital certificates to sign off their malicious software. The first one expired in mid-2018, after which the attackers switched to the second legitimate ASUS certificate to sign their malware afterwards.

Kamluk said ASUS continues to use one of the compromised certificates to sign their own files for at least one month. after Kaspersky has notified the company of the problem, although he has since stopped. But Kamluk said that ASUS has not yet canceled the two compromised certificates, which means that attackers or someone else with access to a certificate that has not expired can still sign malicious files with it, and machines will view these files as legitimate ASUS files.

This is not the first time ASUS is accused of compromising the security of its customers. In 2016, the Federal Trade Commission is charged with fake performance and unfair security practices in terms of multiple router vulnerabilities, cloud backup storage, and a firmware update tool that would allow attackers to access client files and login router credentials, among other things. The FTC claims that ASUS has known about these vulnerabilities for at least a year before fixing and alerting customers by placing nearly one million US router owners at risk of attack. ASUS decided the case by agreeing to set up and maintain a comprehensive security program that will be subject to an independent audit for 20 years.

The ASUS update tool, which delivers malware to customers last year, is installed in the ASUS laptop and other devices factory. When users allow it, the tool periodically connects to the ASUS update server to check if firmware or other software updates are available.

"They wanted to get into very specific goals, and they already knew in advance the MAC address of their network card, which is quite interesting. "

The malicious file sent to client machines through the tool is called setup.exe and is supposed to be an update to the update tool itself. It was actually a three-year ASUS update file from 2015 that attackers injected with malicious code before signing it with a legitimate ASUS certificate. It appears that the attackers pushed it to users between June and November 2018, according to Kaspersky Lab. Kamluk said the use of an old binary file with a recent certificate shows that attackers have access to the server where ASUS is signing its files but not the actual server where it compiles new ones. Since attackers use the same ASUS binary devices every time, it means that they did not have access to all of ASUS's infrastructure, just a portion of the signature infrastructure, Kamluk notes. Mandatory ASUS software updates are still being forced on customers during the period in which the malware has been deployed, but these legitimate updates are signed with a different certificate that uses enhanced validation protection, Kamluk said, making it harder to get he's lying. Kaspersky researchers have collected more than 200 malware samples from customers' machines, which is how they found the attack to be multilevel and purposeful.

Buried in these malicious specimens are hardcoded MD5 hash values ​​that have proven to be unique MAC addresses for network adapters. MD5 is an algorithm that creates a cryptographic representation or value for data that is executed by the algorithm. Each network card has a unique identifier or address specified by the map maker, and the attackers created a hash on every MAC address it was looking for before encrypting those hashes in its malicious file to make it harder to see what malware is . The malicious software had 600 unique MAC addresses to look for, although the actual number of target clients might be larger than that. Kaspersky can only see the MAC addresses that have been encrypted in the specific malware samples found on their customers' machines.

<img src = "https://video-images.vice.com/_uncategorized/1553292749933-shutterstock_1181403586.jpeg?resize=320:*" alt = "1553292749933-shutterstock_1181403586" class = "col-12-xs" data-src = "https: // Kaspersky researchers managed to miss most of the hashes they found to identify the MAC addresses that helped them identify what they found, the network maps the victims installed on their machines, but not the victims themselves: every time the malicious software infects a machine, it collects the MAC address from the machine's network map, hashes it, and compares that hash with those encoded in A has found matching with one of the 600 destination addresses, the malicious software reaches asushotfix.com, a site that masks as a legitimate ASUS site to retrieve the backdoor of the second stage that it has downloaded into that system, a small number of machines connected to the control and control server, this helped the malware remain under the radar.

"They did not try to target as many users as possible," Kamluk said. "They wanted to get involved in very specific goals, and they knew their MAC address on the network card in advance, which is quite interesting."

Oracle Murcha from Symantec said he is still not sure if any of his company's customers are among those whose MAC

Command and Control Server, which delivered the second stage of the back door, was registered on May 3 last year, but was shut down in November before Kaspersky found the attack. Because of this, the researchers failed to get a copy of the second-door back door being ejected to the victims, or to identify the machines of the victims who have contacted the server. Kaspersky believes that at least one of his customers in Russia has infected the second stage of the back door when his machine was connected to the management and control server on October 29, but Raiu says the company does not know the owner's identity on the machine to connect to and investigate further.

There were early hints that the signature and malicious ASUS update was pushed to users in June 2018 when a number of people posted comments at a Reddit forum for a suspicious ASUS signal that appeared on their machines "critical" update . "ASUS strongly recommends that you install these updates now," the warning warns.

In a post titled "ASUSFourceUpdater.exe is trying to make some mysterious update but will not say what," a user named GreyWolfx wrote: "I have a popup message from .exe I never seen before. I'm just curious if anyone knows what this update might be? "

When he and other users clicked on their ASUS update tool to get update information, the tool did not show any new updates from ASUS But since the file is digitally signed with ASUS certificate and because the file invocation on VirusTotal's website shows that it is not malicious, many accept the update as legitimate and download it to its machines VirusTotal is a site that collects dozens of antivirus programs, users can upload suspicious files to the site to see if someone of the tools recognizes it as malicious

"I uploaded the executable file [to VirusTotal] and it returns as a validly signed file without a problem," one user writes. "The spelling of" force "and the empty window with details are really strange, but I noticed strange grammatical errors in other ASUS software installed on this system, so it's not a smoking gun on its own," he noted.

Kamluk and Raiu said this might not be the first time Shadowhammer strikers hit. They said they found similarities between ASUS attacks and those previously conducted by a group called ShadowPad from Kaspersky. ShadowPad is targeted at a Korean company that manages server management software; the same group is also associated with CCleaner's attack. Although millions of machines have been infected with the malicious update of CCleaner's software, only a subset of them has been targeted by a second backward step similar to ASUS victims.

Kaspersky researchers believe ShadowHammer's attackers were behind ShadowPad and CCleaner attacks and gained access to ASUS servers through the latest attack. primary targets of CCleaner's attack, "Raiu said. "One of the options we take into account is how they got into the ASUS network, and later on through persistence they managed to use access … to launch the ASUS attack."

Listen to CYBER motherboards a new weekly podcast for hacking and cyber-security.


Source link