Massive Supply Chain Attack Targets ASUS Users Worldwide
In a significant cybersecurity breach, researchers have identified a massive supply chain attack that compromised over one million computers manufactured by Taiwanese tech giant ASUS. This incident follows a troubling pattern of high-profile breaches, including the notorious CCleaner hack that impacted millions back in September 2017.
The attack’s methodology, termed Operation ShadowHammer by cybersecurity experts at Kaspersky Lab, involved state-sponsored hackers hijacking the ASUS Live automatic software update server. Between June and November 2018, these attackers pushed malicious updates designed to install backdoors on a vast number of Windows systems globally. This tactic is particularly insidious as it exploits the trust users place in software updates.
Kaspersky’s investigation, which included analyzing over 200 samples of infected updates, revealed that the attackers aimed at a selective group of users. Instead of attempting to infect all ASUS devices, the hackers hardcoded a specific list of unique MAC addresses, thereby concentrating their efforts on specific targets. “We extracted more than 600 unique MAC addresses from the samples used in this attack,” the researchers stated, suggesting that broader vectors may exist.
The infected updates, disguised using legitimate ASUS digital certificates, promoted an appearance of authenticity, allowing the malware to evade detection for an extended period. This approach highlights a common tactic identified in the MITRE ATT&CK framework, specifically under the categories of Initial Access and Persistence, whereby attackers leverage trusted software to gain footholds in targeted networks.
While Kaspersky has yet to definitively associate the attack with known Advanced Persistent Threat (APT) groups, there are connections to the 2017 ShadowPad incident, linked to BARIUM APT actors. This ongoing investigation suggests a systematic evolution of attacker strategies, indicating the possibility of widespread adversarial collaboration within the cybersecurity landscape.
As part of its response, Kaspersky revealed that the backdoored version of the ASUS Live Update was downloaded by approximately 57,000 of its users. However, experts estimate the true scale of the problem may be significantly larger, potentially affecting over a million users across the globe. Preliminary findings indicate that the highest concentrations of victims are located in Russia, Germany, France, Italy, and the United States.
In an effort to mitigate the fallout, Kaspersky has alerted ASUS and various antivirus firms about the breach, while simultaneously offering an automated tool for users to ascertain their risk related to the ShadowHammer threat.
As this investigation progresses, business owners should remain vigilant. The implications of such supply chain attacks underscore the importance of robust cybersecurity measures and the meticulous analysis of software updates. The meticulous tactics employed in this breach should serve as a stark reminder of the continuous and evolving threats that permeate the digital landscape.
