Researchers at cybersecurity firm Kaspersky Lab say ASUS, one of the world's largest computer manufacturers, was accustomed to unintentionally installing a malicious backdoor on thousands of customers' computers last year after attackers installed a server for the company's live software update tool Had placed company in danger. The malicious file was signed with legitimate ASUS digital certificates to make it appear as an authentic software update for the company, says Kaspersky Lab.
ASUS, a multi-billion dollar computer hardware company based in Taiwan that manufactures desktops, laptops, cell phones, smart home systems, and other electronic devices, has pushed the back door to customers for at least five months last year, before it was discovered for a new research of the Moscow security company.
Researchers estimate that half a million Windows machines have received the malicious backdoor through the ASUS Update server, although the attackers attacked only about 600 of these systems. The malware searched for target systems using their unique MAC addresses. If a malware resides on a system that has found one of these destinations, the malware attacks an attacker-driven command-and-control server, which then installs additional malware on those computers.
Kaspersky Lab claimed to have uncovered the attack in January after adding a new supply chain discovery technology to its scanning tool to capture anomalous code snippets hidden in legal code or catch code that would disrupt the normal operation of a server Machine attacks. The company plans to release a complete technical document and presentation on the ASUS attack it called ShadowHammer next month at its Security Analyst Summit in Singapore. In the meantime, Kaspersky has published some technical details on its website.
"We saw that the updates from the ASUS server were shut down with Live Update. They were trojanized or maliciously updated and signed by ASUS. "
The problem highlights the growing threat of so-called supply chain attacks, where malicious software or components are installed on systems that have been manufactured or assembled, or subsequently through trusted vendor channels. Last year, the US set up a supply chain task force to investigate the problem after a series of attacks on the supply chain had been exposed in recent years. Although the attention of the supply chain is focused primarily on the ability to add malicious implants to hardware or software during manufacturing, software updates from vendors are an ideal way to provide attackers with malware after selling to systems as customers trust vendor updates This is especially true if they are signed with a legitimate digital certificate of a vendor.
"This attack shows that the trust model we use, based on well-known manufacturer names and digital signature validation, can not guarantee that you are protected against malware," said Vitaly Kamluk, director of the Asia-Pacific R & D team Kaspersky Lab, who led the project research. He points out that ASUS Kaspersky has failed, that its server was attacked and that the malware came out of the network when the researchers contacted the company in January. The download path for the malware samples collected by Kaspersky directly returns to the ASUS server, said Kamluk.
The motherboard sent ASUS a list of allegations asserted by Kaspersky on Thursday in three separate e-mails, but has not heard from the company.
Read more: What is an "attack on the supply chain"?
US-based security firm Symantec confirmed Kaspersky's findings on Friday after it was asked by Motherboard if some of its customers had also received the malicious download. The company is still investigating the matter, but said in a phone call that at least 13,000 Symantec customers had been infected with ASUS's malware update last year.
"We saw that the updates from the ASUS server were shut down with Live Update. They have been trojanized or maliciously updated and signed by ASUS, "said Liam O & Murchu, Development Director of Symantec's Security Technology and Response Group.
This is not the first time that attackers have used trusted software updates to infect systems. The notorious Flame spyware tool, developed by some of the same attackers behind Stuxnet, was the first known attack that deceived users in this way by hijacking the Microsoft Windows Update Tool on computers to infect computers. Flame, which was discovered in 2012, was signed with an unauthorized Microsoft certificate that led attackers to misuse Microsoft's system. In this case, the attackers did not challenge the Microsoft update server to deploy Flame. Instead, they were able to redirect the software update tool on target client machines to contact a malicious server that the attackers controlled instead of the legitimate Microsoft Update server.
Two different attacks discovered in 2017 also affected trusted software updates. One of them was the Computer Security Cleanup Tool, known as CCleaner, which distributes malware to customers through a software update. More than 2 million customers received the malicious update before it was discovered. The other incident was the notorious NotPetya attack that began in Ukraine and infected computers with a malicious update of an accounting software package.
Costin Raiu, the company-wide director of Kaspersky's Global Research and Analysis team, said the ASUS attack is different from these others. "I would say that this attack stands out from previous attacks, but is one step higher in complexity and stealthiness. Surgical filtering of targets for their MAC address is one of the reasons why they have remained undetected for so long. If you are not a target, the malware is virtually silent, "he told Motherboard.
But even if muted on non-targeted systems, the malware has offered the attackers a back door to any infected ASUS system.
Tony Sager, senior vice president of the Center for Internet Security, who spent years performing defensive vulnerability assessments for the NSA, said the method that attackers selected for certain computers was strange.
"Supply chain attacks are big in the category and are a sign that someone is careful and has something planned," he said in a call to Motherboard. "But getting something out that hits tens of thousands of goals, if you really only go after a few is really something with a hammer behind."
Kaspersky researchers discovered the malware for the first time on January 29 on a customer's computer. After creating a signature to find the malicious update file on other customer systems, they discovered that more than 57,000 Kaspersky customers were infected with it. However, this sacrifice fee applies only to Kaspersky customers. Kamluk said the actual number is likely to be in the hundreds of thousands.
Most of Kaspersky's infected machines (about 18 percent) were in Russia, followed by fewer in Germany and France. Only about 5 percent of infected Kaspersky customers were in the United States. O'Murchu of Symantec stated that around 15 percent of the 13,000 machines of its infected customers in the US
Kamluk said that Kaspersky informed ASUS about the problem on January 31, and a Kaspersky employee met ASUS on February 14. However, he said the company has been largely unresponsive since then and has not informed ASUS customers about the problem.
The attackers used two different ASUS digital certificates to sign their malware. The first one ended in mid-2018. The attackers then switched to a second legitimate ASUS certificate to subsequently sign their malware.
Kamluk said ASUS had used one of the vulnerable certificates for signing his own files for at least a month after Kaspersky informed the company about the problem, although it has since stopped. However, Kamluk said that ASUS has still not invalidated the two vulnerable certificates. This means that attackers or other people who have access to the unexpired certificate can use it to sign malicious files, and machines view those files as legitimate ASUS files.
This was not the first time that ASUS had compromised the safety of its customers. In 2016, the company was accused by the Federal Trade Commission of misrepresentation and unfair security practices due to multiple vulnerabilities in its routers, cloud backup stores, and firmware update tools that allowed attackers to access customer files and log on to routers Certificates, among others. The FTC claimed that ASUS knew about these vulnerabilities for at least a year before they were resolved and customers were notified, which could endanger nearly one million US router owners. ASUS has settled the case by agreeing to set up and maintain a comprehensive safety program that should be independently audited for 20 years.
The ASUS Live Update Tool, which delivered malware to customers last year, is factory installed on ASUS laptops and other devices. When users enable it, the tool periodically contacts the ASUS update server to check for firmware or other software updates.
"They wanted to achieve very specific goals and knew their MAC address for the NIC in advance, which is very interesting."
The malicious file that was transferred to the client computers via the tool was called setup.exe and was supposed to be an update tool update. It was actually a three-year ASUS update file from 2015 that had infected malicious code with attackers before being signed with a legitimate ASUS certificate. According to Kaspersky Lab, the attackers passed it on to users between June and November 2018. Kamluk said using an old binary file with a recent certificate indicates that attackers had access to the server on which ASUS signs its files, not the build server on which new ones are being created. Because the attackers used the same ASUS binary each time, this indicates they did not have access to the entire ASUS infrastructure, which is only part of the signature infrastructure, Kamluk notes. Legitimate ASUS software updates were still being distributed to customers during the time the malware was pushed out. However, these legitimate updates were signed with another certificate that used improved validation protection, Kamluk said. This makes it harder to fake them.
Kaspersky researchers collected more than 200 samples of the malicious file from customer computers, and found that the attack was multi-tiered and targeted.
These malicious examples included hard-coded MD5 hashes, which turned out to be unique MAC addresses for network adapter cards. MD5 is an algorithm that creates a cryptographic representation or value for data passing through the algorithm. Each network card has a unique ID or address assigned by the manufacturer of the card, and the attackers created a hash for each MAC address they searched for before encoding those hashes to their malicious file in order to detect the NIC complicate malware did it. The malware had 600 unique MAC addresses searched for, although the actual number of target customers may be larger. Kaspersky can only see the MAC addresses that were hard-coded in the respective malware samples on the computers of its customers.
Kaspersky researchers were able to crack most of the found hashes to determine the MAC addresses. So they could find out which network cards the victims had installed on their computers, but not the victims themselves. Each time the malware infects a computer, it has picked up the MAC address from the computer's network card, hacked it, and hashed it the hard-coded in the malware compared. If any of the 600 target addresses were found, the malware went to asushotfix.com, a site claiming to be a legitimate ASUS site, and picked up a second tier that it downloaded to this system. With only a few computers contacting the command-and-control server, the malware could stay under the radar.
"They did not try to reach as many users as possible," Kamluk said. "They wanted to achieve very specific goals and knew their MAC address for the NIC in advance, which is very interesting."
O'Murchu of Symantec said he was still not sure if any of his customers were among the customers whose MAC addresses were on the target list and receiving the second-level backdoor.
The command-and-control server that delivered the second-level backstage was registered last year on May 3, but was shut down in November before Kaspersky discovered the attack. For this reason, the researchers were unable to obtain a copy of the second-stage back door that was made available to the victims, and no victim equipment could be identified that had contacted that server. Kaspersky expects that at least one of its customers in Russia became infected with the second-stage back door when its computer contacted its command and control server on October 29 last year. However, Raiu says that the company does not know the identity of the machine owner to contact and investigate.
There was early evidence that in June 2018, a signed and malicious ASUS update was leaked to users when a number of people in a Reddit forum posted comments on a suspicious ASUS warning that was critical on their computers "Update showed up. "ASUS strongly recommends installing these updates now," warned the warning.
In a post titled "ASUSFourceUpdater.exe tries to make a mysterious update, but it does not say anything," wrote a user named GreyWolfx, "I got an update popup from an .exe file that I've never seen before today would have …". I'm just curious if anyone knows what this update might be for? "
When he and other users clicked on their ASUS update program to get information about the update, the tool indicated that no recent updates were released by ASUS. However, because the file was digitally signed with an ASUS certificate and checking the file on the VirusTotal website indicates that it was not harmful, many accepted the update as legitimate and downloaded it to their computers. VirusTotal is a website that collects dozens of antivirus programs. Users can upload suspicious files to the site to determine if they are identified as malicious by the tools.
"I uploaded the executable [to VirusTotal] and it comes back as a validly signed file with no output, "wrote a user. "The spelling of" force "and the empty detail window are odd, but I've found strange grammatical errors with other ASUS software installed on this system, so it's not a smoking weapon," he noted.
Kamluk and Raiu said this may not be the first time that the attackers beat the ShadowHammer. They said they found similarities between the ASUS attack and those previously carried out by a group called ShadowPad by Kaspersky. ShadowPad was targeted at a Korean company that creates enterprise software for managing servers. The same group was also associated with the CCleaner attack. Although millions of machines were infected with the malicious CCleaner software update, only a portion of these machines were attacked with a second level backdoor, similar to the ASUS casualties. In particular, ASUS systems themselves were on the CCleaner list.
The Kaspersky researchers believe that the ShadowHammer attackers were behind the attacks of ShadowPad and CCleaner, and the latter attacks gave them access to the ASUS servers.
"ASUS was one of the main targets of the CCleaner attack," Raiu said. "One of the options we are considering is how they initially entered the ASUS network and later used stamina to access the ASUS attack."
Listen to CYBERThe new weekly podcast from motherboard to hacking and cybersecurity.