Still, we urge everyone to be vigilant and make sure they are getting the best protection possible. Our own numbers show that less than 5% of all Heimdal Security active users own ASUS computers. #ShadowHammer Victim Distribution by Country. The chart below sheds more light onto the main user pools impacted by this ASUS Live Update backdoor. Most users affected were located in Russia, Germany, and France. The threat actor associated with those attacks was BARIUM, an entity which researchers suspect is backed by the Chinese government. The breach bore many similarities to previous supply chain attacks targeting CCleaner (the incident linked above) and the ShadowPad attack from 2017 which impacted NetSarang. As for who could be behind this attack, the researchers who discovered the issue don’t have a definitive answer, but a strong hunch.
Since ASUS is the 5 th largest PC vendor in the world (according to a 2017 Gartner count by unit sales), this so-called #ShadowHammer malware is a remarkably dangerous one. Still, this is the first attack which manages to imitate digital signatures perfectly and infect computers on such a large scale. A similar supply chain attack was carried out through CCleaner in 2017.
Signed ASUS Live Updater Installer Certificates.Īccording to them, the setup installers were perfectly imitating digital signatures with legitimate “ASUSTeK Computer Inc.” certificates that were “hosted on the official liveupdate01s.asuscom and liveupdate01.asuscom ASUS update servers.” It’s not the first time that hackers use a legitimate program in order to install backdoors through it.
This server was taken down some time in November 2018, way before the cybersecurity researchers first detected this vulnerability in the ASUS auto-update software.
The second part of malicious code was downloaded from the command-and-control server located at asushotfixcom. Once those computers were detected, the hackers then deployed stage 2 of their supply chain attack.
Īfter a corrupted version of the ASUS auto-update software was installed, the hackers used the hardcoded list of MAC addresses in order to identify those computers where their backdoor had been installed. We estimate this may have affected over 1 million computer users between June and Nov 2018. Cybersecurity experts say that this type of MO points to a surgical espionage malware, which means it was specifically designed to spy on specific users.Īsus Live Updater was used in a big supply chain attack we dubbed Operation #ShadowHammer. Each of these corrupted auto-update software versions was targeting a specific and unknown pool of users, which were identified by their network adapters’ MAC addresses. The researchers who raised the alarm estimate that over a million computers were affected. The hackers managed to replace the authentic ASUS Live Update software with several corrupted versions of their own, which imitated the digital signature of ASUS and fooled computers into downloading and installing them. It’s used to perform automatic updated on important computer software components, such as BIOS, UEFI, software drivers, and some other major applications. The ASUS Live Update is a software patching utility which comes preinstalled on most ASUS computers. How the Advanced Persistent Threat (APT) infection worked
We want to make you aware of this vulnerability, and urge you to take a few basic steps to secure your system, in case you own any ASUS computers. This unusually dangerous attack has been dubbed Operation #ShadowHammer and ran from June 2018 to November 2018 undetected until now. This huge supply chain attack fooled computers into thinking they were receiving updates from ASUS, all the while installing a backdoor into those computers. This type of attack is unprecedented in its seriousness because it managed to perfectly imitate the signature of the original ASUS auto-update software, passing by undetected by conventional anti-virus solutions. Latest security updates unveiled an advanced persistent threat (APT) attack that affected over a million ASUS users worldwide. There were also several retailers and pharmaceutical companies located in Asia targeted by the ShadowHammer attack. Among the other targets were Electronics Extreme (authors of the ‘Infestation: Survivor Stories’ zombie survival game), Innovative Extremist, another IT and game development company, and Zepetto (the South Korean authors of the ‘Point Blank’ video game). In these other attacks, similar algorithms were used and just like in the ASUS case, legitimately signed certificates were used. Update 23rd April 2019: Further research revealed that the ShadowHammer malware has targeted and successfully attacked multiple companies, not just ASUS.