According to a new report from Kaspersky Lab, Taiwan-based tech giant ASUS has been the victim of a massive supply chain attack that distributed malware to tens of thousands of ASUS computers worldwide. In fact, some estimates by security researchers suggest the number of Windows machines impacted by the supply chain attack could be much closer to 500,000. This attack, in which hackers essentially hijacked legitimate ASUS software updates and transformed them into malware delivery vehicles, is one of the highest-profile supply chain attacks to date.
Details of the supply chain attack
From details that have already been released and analyzed, it appears as if the attackers had inside information about ASUS servers and systems in order to carry out the attack. When ASUS updates were pushed out to Windows machines, it was necessary for the attackers to disguise what was actually happening. The key to this supply chain attack, says Kaspersky, was being able to have access to authentic digital signatures from ASUS for the software update. That way, when remote machines performed a routine check to see whether or not they should accept the system update, they would conclude that this was a legitimate ASUS update.
Once the update was accepted, that’s when the backdoor Trojan horse aspect of the operation went into effect. The malicious code could make third-party calls on other servers, from which it could receive the final payload. According to Kaspersky, these Trojanized updates from ASUS went on for nearly five months, from June to November 2018. And they appeared to target unique MAC addresses in order to deliver malware more efficiently without raising the alarm of ASUS.
What makes the attack particularly worrisome is the sheer number of machines potentially impacted. In fact, some third-party security researchers not affiliated with Kaspersky speculate that as many as 1 million users were impacted. Not to mention the fact that ASUS is also the maker of other tech products – including smart devices for the home – so the reality is that many more ASUS products may have been impacted. Kaspersky Lab only discovered the attack in January 2019, so the cyber attackers have had more than six months to plot and plan further attacks against ASUS users.
The supply chain attack problem
In many ways, the ShadowHammer supply chain attack follows the basic pattern of other supply chain attacks over the past 18 months. The two most notable supply chain attacks during this time period have been the CCleaner and Petya supply chain attacks. In the classic supply chain attack, a piece of malicious software gets installed on systems as they are manufactured or assembled. In some cases, as in the ASUS case, the supply chain attack can happen via vendor software updates. Customers tend to trust vendor updates, so the updates are made without thorough vetting. That’s especially the case if the updates come with authentic digital certificates.
As Kaspersky Lab has pointed out in its analysis of the ASUS case, the hackers were successful because they managed to co-opt this “trust model.” The update (officially known as the ASUS Live Update Utility) was legitimate, the company was a global tech leader, and the digital signature was authentic – so it’s easy to see why the attack became so pervasive. Users were tricked into thinking this version of ASUS Live Update was legitimate.
In response to other supply chain attacks, the U.S. has already created a so-called “supply chain task force” to monitor the situation. In today’s world, products are manufactured and assembled outside of the United States, and so the U.S. is stepping up its oversight of how these products are made. There is already rampant speculation, for example, that Chinese tech vendors are installing secret “back doors” to every tech product they manufacture, and that just about any Chinese digital device is capable of acting as a surveillance tool for the Chinese state. So this latest attack on ASUS is almost certainly going to raise additional questions about products manufactured in Taiwan. ASUS, for its part, denies that its servers were compromised, or that malware originated from its network.
Solutions to the supply chain attack problem
Given the potential scope of the problem, is there anything that can be done to prevent similar types of attacks in the future? According to security experts, the best solution is a more vigilant vetting of apps and updates. Instead of blindly accepting every possible update, machines may need to require additional layers of security authentication.
In addition, cyber security experts need to improve their understanding of code signing certificates now that they are becoming more prevalent in the digital world. Kevin Bocek, Vice President of security strategy and threat intelligence at machine identity protection provider Venafi, points out, “Code signing certificates are used to establish which updates and machines should be trusted, and they are in the applications that power cars, laptops, planes and more. Nearly every operating system is dependent on code signing, and we will see many more certificates in the near future due to the rise of mobile apps, DevOps and IoT devices.”
“However, cyber criminals see code signing certificates as a valuable target due to their extreme power. With a code signing certificate, attackers can make their malware seem trustworthy and evade threat protection systems,” says Bocek. “Unfortunately, in many organizations the protection of code signing processes falls mostly to developers who are not prepared to defend these assets. In fact, most security teams aren’t even aware if their developers are using code signing or who may have access to the code signing process. “It’s imperative for organizations to know what code-signing certificates they have in use and where, especially as it’s likely we’ll see similar attacks in the future.”
And, if the cyber attackers really did have access to the insider protocols and authentications from deep within ASUS, there needs to be greater attention placed on preserving the security integrity of those servers. As other security firms have pointed out, the ASUS attack is similar to the CCleaner supply chain attack, in which the attack actors were able to carry out significant reconnaissance work in advance.
Going forward, it is clear that hackers are becoming more creative and sophisticated in how they carry out attacks. That is raising the stakes for cyber security teams at huge corporations around the world. Software updates are a fact of life in today’s digital world, and the ability to deliver live updates as new fixes and patches are discovered has been viewed as a deterrent to cyber attacks. These new supply chain attacks, if they continue to intensify, may cause a significant re-thinking of this conventional wisdom.