Researchers from the Kaspersky Lab Cyber Security Company claim that ASUS, one of the world's largest computer manufacturers, was used to accidentally install a malicious loophole on thousands of computers for its customers last year after the attackers compromised a server software update software,
ASUS, a multi-billion-dollar Taiwan-based computer hardware company that manufactures desktops, laptops, and mobile phones, smart home systems and the other lecturers have pushed the doors to their clients for at least five months last year before being discovered, according to new research by the Moscow security firm. Researchers believe that half a million Windows machines have received the malicious backdoor via the ASUS update server, although the attackers have targeted their efforts to only 600 of these systems. Malware searches for target systems through their unique MAC addresses. Once in the system, if one of these destination addresses is found, the malicious software reaches the control and control server the attackers have managed, and then installs additional malware on those machines.
Kaspersky Lab said it discovered the attack in January after adding a new supply chain detection technology to capture anomalous code snippets hidden in the legitimate code or capture code that hijacks normal machine operations . The company plans to release a full technical document and a presentation on ASUS's attack, which she called ShadowHammer, next month at its Singapore Summit. Meanwhile, Kaspersky has published some of the technical details on its website.
"We saw that updates are downloaded from ASUS Live Update Server. These were trojan or malicious updates and were signed by ASUS. "
The issue highlights the growing threat of so-called attacks in the supply chain where malware or components are installed on systems as they are manufactured or assembled Last year, the US launched a supply chain task force to investigate the issue, since a number of attacks have been identified in the supply chain in recent years, implants that need to be added to hardware or software during production, software vendor updates are the ideal way to attackers deliver malware to systems after they are sold because customers trust vendor updates, especially if they are signed with the seller's legal digital certificate
"This attack shows that the trust model we use for based on known vendors' names and validation of digital signatures, can not guarantee that you are a safe Malware, "said Vitaly Kampl, Asia Pacific Director of Global Kaspersky Lab's global research and analysis team, who runs the survey. He noted that ASUS had denied Kaspersky that his server was compromised and malicious software came from his network when the researchers contacted the company in January. But the malware download path collected by Kaspersky leads directly to the ASUS server, Kamluk said.
The motherboard sent ASUS a list of claims made by Kaspersky in three separate emails on Thursday, but has not been heard by the company.
Read more: What is a "supply chain"?
But the US-based security company Symantec confirmed Kaspersky's findings on Friday after being asked by the motherboard to see if any of his clients also received the malicious download. The company is still investigating the matter, but said in a telephone conversation that at least 1
"We saw that the updates were released from ASUS Live Update Server, They were Trojan or Malicious Updates and were signed by ASUS," said Liam O'Mourchou, Director of Technology Development and Response Security Symantec.
This is not the first time the attackers have used reliable software updates to infect the systems. The flawed spyware tool developed by the same attackers behind Stuxnet is the first known attack that misleads users in a way that robbers the Microsoft Windows Update tool on machines to infect computers. The flame discovered in 2012 was signed with an unauthorized Microsoft certificate that the attackers tricked the Microsoft system to release them. The attackers in this case did not actually compromise Microsoft's update server to deliver Flame. Instead, they were able to redirect the software update tool to the target customer's machines to connect to a malicious server that the attackers controlled instead of the legitimate Microsoft update server.
Two different attacks detected in 2017 also threatened reliable software updates. One included the Computer Security Cleanup Tool, known as CCleaner, which delivered malware to customers by updating the software. More than 2 million customers have received this malicious update before they are found. The other incident is related to the scandalous attack of NotPeta, which began in Ukraine and infected machines through a malicious update of an accounting software package.
Costin Raiu, Global Kaspersky Global Research and Analysis team director, said ASUS attack is different from the others. "I would say that this attack stands out from the previous while it is on a level of complexity and cunning. Filtering targets in a surgical way from their MAC addresses is one of the reasons to stay undetected for so long. If you're not the target, the malicious software is almost silent, he said on the motherboard.
But while silent about non-target systems, malicious software still gives attackers the backdoor in every infected ASUS system.
Tony Sager, senior vice president of the Internet Security Center who has been defending vulnerability analysis for the NSA for years, said the method the attackers chose to target to specific computers is strange. "Attacks in the supply chain are in the" big deal "category and are a sign of someone who is careful about this and has made some planning," he said on the motherboard during a phone call. "But putting something that hits tens of thousands of targets when you really go, only after some really do something with a hammer."
Kaspersky researchers first discovered the malicious software on the client's machine on January 29th. have created a signature to find the malicious file to update other client systems, they found that more than 57,000 Kaspersky customers were infected with it. This victim, however, accounts only for Kaspersky's customers. Kamluk said the actual number is probably hundreds of thousands
Most of the infected machines belonging to Kaspersky's customers (about 18%) are in Russia, followed by fewer numbers in Germany and France. Only about 5% of Kaspersky's infected customers were in the US. Oracle Murchu of Symantec said that about 15% of the 13,000 machines belonging to his company's infected clients were in the United States
Kamluk said Kaspersky had notified ASUS of the problem on January 31, and an employee of Kaspersky has personally met ASUS on February 14th. But he said that since then, the company has largely failed to react and has not notified ASUS customers of the problem.
Attackers use two different ASUS digital certificates to sign off their malicious software. The first one expired in mid-2018, after which the attackers switched to the second legitimate ASUS certificate to sign their malware afterwards.
Kamluk said ASUS continues to use one of the compromised certificates to sign their own files for at least one month. after Kaspersky has notified the company of the problem, although he has since stopped. But Kamluk said that ASUS has not yet canceled the two compromised certificates, which means that attackers or someone else with access to a certificate that has not expired can still sign malicious files with it, and machines will view these files as legitimate ASUS files.
This is not the first time ASUS is accused of compromising the security of its customers. In 2016, the Federal Trade Commission is charged with fake performance and unfair security practices in terms of multiple router vulnerabilities, cloud backup storage, and a firmware update tool that would allow attackers to access client files and login router credentials, among other things. The FTC claims that ASUS has known about these vulnerabilities for at least a year before fixing and alerting customers by placing nearly one million US router owners at risk of attack. ASUS decided the case by agreeing to set up and maintain a comprehensive security program that will be subject to an independent audit for 20 years.
The ASUS update tool, which delivers malware to customers last year, is installed in the ASUS laptop and other devices factory. When users allow it, the tool periodically connects to the ASUS update server to check if firmware or other software updates are available.
"They wanted to get into very specific goals, and they already knew in advance the MAC address of their network card, which is quite interesting. "
The malicious file sent to client machines through the tool is called setup.exe and is supposed to be an update to the update tool itself. It was actually a three-year ASUS update file from 2015 that attackers injected with malicious code before signing it with a legitimate ASUS certificate. It appears that the attackers pushed it to users between June and November 2018, according to Kaspersky Lab. Kamluk said the use of an old binary file with a recent certificate shows that attackers have access to the server where ASUS is signing its files but not the actual server where it compiles new ones. Since attackers use the same ASUS binary devices every time, it means that they did not have access to all of ASUS's infrastructure, just a portion of the signature infrastructure, Kamluk notes. Mandatory ASUS software updates are still being forced on customers during the period in which the malware has been deployed, but these legitimate updates are signed with a different certificate that uses enhanced validation protection, Kamluk said, making it harder to get he's lying. Kaspersky researchers have collected more than 200 malware samples from customers' machines, which is how they found the attack to be multilevel and purposeful.
Buried in these malicious specimens are hardcoded MD5 hash values that have proven to be unique MAC addresses for network adapters. MD5 is an algorithm that creates a cryptographic representation or value for data that is executed by the algorithm. Each network card has a unique identifier or address specified by the map maker, and the attackers created a hash on every MAC address it was looking for before encrypting those hashes in its malicious file to make it harder to see what malware is . The malicious software had 600 unique MAC addresses to look for, although the actual number of target clients might be larger than that. Kaspersky can only see the MAC addresses that have been encrypted in the specific malware samples found on their customers' machines.