With the penetration of Internet to each corner of the World, it has become easy to target millions of computers at once. A lot of manufacturers releases software updates and security patches to millions of computers simultaneously, but what if this process turned against them?
According to a recent update by Motherboard, Cyber criminals hijacked one of the largest computer manufacturing company – ASUS servers to inject malware in millions of users’ computers via automatic software updates.
Millions of Asus Users Infected by the Malware
The Asus software update utility tool comes pre-installed with every Asus computers. It contacts Asus servers periodically to check if any firmware, BIOS, UEFI, drivers, applications or other update is available for the device. The attackers performed a supply chain attack on the company’s server until it got compromised. Then, they used the server to directly infect the users’ computer with malware through automatic software update utility.
The supply chain attack was initially discovered in January 2019. However, the attack appears to be active from June to November 2018. As per the Kaspersky lab analysis, more than one million Asus users in the world are affected by the malware via the software updates. The malware is found to be targetting random pool of systems by searching their MAC address using trojanized samples containing hardcoded MAC address to identify the specific targets.
“The reason that it stayed undetected for so long is partly due to the fact that the trojanized updaters were signed with legitimate certificates (eg: “ASUSTeK Computer Inc.”). The malicious updaters were hosted on the official liveupdate01s.asus[.]com and liveupdate01.asus[.]com ASUS update servers” as described by the researchers of Kaspersky.
The researchers at Kaspersky labs extracted more than 600 unique MAC addresses from 200+ samples. When it comes to complexity and techniques, they believe that the attack is even serious than CCleaner supply chain attack and Shadowpad Attack.
The attack mostly affected the Asus users who belong to Russia, Japan, Italy, United States, Spain, Poland, U.K, Canada, Germany, etc. In order to help the customers, Kaspersky created a site where any Asus user can visit and check if your device has been targeted by the cyber attack just by comparing the Mac Addresses of your adapters with the hardcoded ones.
Though there isn’t any official update from Asus, Motherboard also reported that the malicious updates are coming from ASUS live server update and were signed by Asus. The Kaspersky will publish the complete details and technical paper on this serious supply chain attack during SAS 2019 conference in Singapore.