1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Operation ShadowHammer: ASUS Live Update Utility compromised

Discussion in 'General Network Security' started by umarmung, Mar 25, 2019.

  1. umarmung

    umarmung Senior Member

    Joined:
    Apr 21, 2018
    Messages:
    243
    "Kaspersky Lab has uncovered a new advanced persistent threat (APT) campaign that has affected a large number of users through what is known as a supply chain attack. Our research found that threat actors behind Operation ShadowHammer have targeted users of the ASUS Live Update Utility, by injecting a backdoor into it at least between June and November 2018. Kaspersky Lab experts estimate that the attack may have affected more than a million users worldwide."

    Source: Kaspersky Labs


    Salient details:

    "In January 2019, we discovered a sophisticated supply chain attack involving the ASUS Live Update Utility. The attack took place between June and November 2018 and according to our telemetry, it affected a large number of users.

    ASUS Live Update is an utility that is pre-installed on most ASUS computers and is used to automatically update certain components such as BIOS, UEFI, drivers and applications. According to Gartner, ASUS is the world’s 5th-largest PC vendor by 2017 unit sales. This makes it an extremely attractive target for APT groups that might want to take advantage of their userbase.

    Based on our statistics, over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time. We are not able to calculate the total count of affected users based only on our data; however, we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide.

    The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.

    We believe this to be a very sophisticated supply chain attack, which matches or even surpasses the Shadowpad and theCCleaner incidents in complexity and techniques. The reason that it stayed undetected for so long is partly due to the fact that the trojanized updaters were signed with legitimate certificates (eg: “ASUSTeK Computer Inc.”). The malicious updaters were hosted on the official liveupdate01s.asus[.]com and liveupdate01.asus[.]com ASUS update servers."

    Source: SecureList
     
  2. Zonkd

    Zonkd Senior Member

    Joined:
    Oct 19, 2014
    Messages:
    466
    Geeeeeeze. What now?
     
  3. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,257
    Location:
    Canada
    That does not affect routers in any way, only computers.

    Sent from my Nexus 5X using Tapatalk
     
    L&LD likes this.
  4. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,667
    Location:
    texas
    please delete since the thread merged
     
    Last edited: Mar 25, 2019
  5. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,338
    Location:
    UK
    Also from the stated source page:
     
  6. umarmung

    umarmung Senior Member

    Joined:
    Apr 21, 2018
    Messages:
    243
    Yes, perhaps it would have been better under General Network Security.

    The compromise of both security certificates and Asus own update infrastructure is highly disturbing, regardless of products however.
     
  7. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,131
    I wouldn't trust an exe tool from Kaspersky. :)
     
    OzarkEdge likes this.
  8. Ronald Schwerer

    Ronald Schwerer Senior Member

    Joined:
    Jan 8, 2017
    Messages:
    307
    Or this Kaspersky tool is the real trojan. Is that how they got HRC's emails?
     
  9. AndreiV

    AndreiV Very Senior Member

    Joined:
    Aug 25, 2015
    Messages:
    731
    Location:
    пішли на риболовлю
  10. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,131
    Already reported and discussed in other threads. :)

    RMerlin confirmed that Asus routers are not affected.

    Btw, not just laptops, but desktops too are possibly infected. ;)
     
  11. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,257
    Location:
    Canada
    Moved and merged threads in a more appropriate location.
     
    L&LD likes this.
  12. Authority

    Authority Regular Contributor

    Joined:
    Jul 9, 2015
    Messages:
    156
    It’s ironic for a malign state actor like Kaspersky to throw shade on anyone.


    Sent from my iPhone using Tapatalk
     
    L&LD likes this.