On Monday, we saw once again how criminals can exploit trust and use it as a weakness.
Kaspersky Lab reported that one of the world’s largest computer manufacturers, Taiwan-based ASUS, had mistakenly installed a backdoor program dubbed “ShadowHammer” onto the computers of thousands of customers after hackers infiltrated the company’s automated software update system.
Experts offering initial estimates suggest the trojanized update may have affected up to half a million Windows machines. Kaspersky reported 57,000 users of ASUS’s product were attacked, “but we estimate it was distributed to about 1 million people total.” Symantec telemetry showed 13,000 infections (80 percent of which were consumers, not organizations). The full scope of the attack has yet to be established.
The attacker’s motive remains unclear, but Kaspersky noted that 600 MAC addresses were specifically targeted, even though the malicious update affected far more.
Gizmodo has reached out ASUS for a comment and we’ll update as soon one is provided. Motherboard, which broke the news, said it first reached out to ASUS on Thursday but had yet to get a response.
ShadowHammer is what’s known as a supply-chain attack—when hackers compromise targets by injecting malicious code into the hijacked software update of a third-party service. On average, businesses are far less suspicious of these updates because they’re deployed by vendors whose software is already trusted. Applying updates is also something IT professionals are told to do right away, as they routinely contain security patches intended to make a product safer.
This form of transitive trust is becoming increasingly perilous due to an uptick in supply-chain attacks, as several end-of-2018 analyses on the evolving threat landscape described. Symantec, for example, found that supply-chain attacks had increased by 78 percent compared to the previous year. Notable incidents involved CCleaner, a widely used security clean up tool, and the notPetya attacks, in which a payload was injected into Ukrainian accounting software.
Noting that the malicious file was signed using ASUS’s digital certificates and distributed through official channels, a research and analysis director at Kaspersky told Motherboard that the incident illustrates “that the trust model we are using based on known vendor names and validation of digital signatures cannot guarantee that you are safe from malware.”
As the site noted, ASUS has previously settled charges brought by the Federal Trade Commission (FTC) over vulnerabilities in its routers—flaws that it was accused of concealing from consumers for a year or more—by promising to “establish and maintain a comprehensive security program subject to independent audits for the next 20 years.”
It’s too early to tell whether the FTC will take action and investigate this incident, or whether it will consider it a violation of its previous order. (The FTC Act empowers the commission to seek civil penalties and/or injunctive relief when companies violate such agreements.)
“While investigating this attack, we found out that the same techniques were used against software from three other vendors. Of course, we have notified ASUS and other companies about the attack,” reported Kaspersky, which also advised anyone using the ASUS Live Update Utility to update it at once.
A technical paper revealing more about ShadowHammer will be released, the company said, during the Kaspersky Security Analyst Summer next month.