Recent developments reveal a significant cyber breach affecting ASUS customers, attributed to a sophisticated supply chain attack. Kaspersky, a Russian cybersecurity company, disclosed parts of this incident last week, though it withheld the complete list of hardcoded MAC addresses embedded in the malicious code targeting specific users.
In lieu of releasing the full list, Kaspersky provided an offline tool and established an online portal, enabling ASUS PC users to check their MAC addresses against those identified in the attack. However, critiques arose regarding the tool’s practicality, particularly for large organizations with extensive networks encompassing hundreds of thousands of devices.
To enhance transparency and assist fellow cybersecurity professionals, Shahar Zini, the CTO of Australian security firm Skylight, collaborated with The Hacker News by sharing a comprehensive list detailing nearly 583 MAC addresses that were targeted during the ASUS breach. Zini emphasized the importance of making this information publicly accessible, allowing security analysts to more effectively assess vulnerabilities within their operations.
Skylight’s cybersecurity experts utilized Kaspersky’s offline tool to extract the full set of 619 MAC addresses protected by a salted hash algorithm. Leveraging powerful computing resources from Amazon’s AWS, they managed to brute force the targeted addresses in under an hour, showcasing the potential for rapid decryption with appropriate technology.
The attack, dubbed “Operation ShadowHammer,” involved state-sponsored hackers compromising ASUS’s Live automatic update server last year, resulting in the distribution of malicious updates to over one million Windows systems globally. Kaspersky identified this breach following the infection of 57,000 of its users who had downloaded the compromised ASUS LIVE Update software.
The nature of the malware indicated that the attackers specifically targeted a predefined group of users by identifying their unique MAC addresses, which were hardcoded into the malicious software. Although the secondary malware stage was distributed to approximately 600 users, concerns persist regarding the security of the broader user base that received the tainted update.
In response to this incident, ASUS acknowledged a breach involving unknown adversaries between June and November 2018 and has since released a cleansed version of its LIVE Update application, accompanied by a commitment to introduce additional security verification measures to mitigate future threats. However, mere installation of the updated software does not guarantee elimination of any embedded malware, and ASUS has provided a diagnostic tool for customers to ascertain whether their systems were compromised.
As the investigation continues, the identities and motives of the hackers remain unclear, but monitoring and understanding the tactics employed in this incident is crucial for businesses. The MITRE ATT&CK framework can be applied here, suggesting that initial access, persistence, and possibly privilege escalation tactics were involved in the attack. As the situation unfolds, organizations must remain vigilant and proactive in strengthening their defenses against such targeted cyber threats.
