Hackers compromised an ASUS server which used the company’s software update tool, to install a malicious backdoor on thousands of users’ computers, according to Kapersky Lab. The Moscow-based Kaspersky Lab discovered the incident late last year and ASUS said that the compromise has since been stopped. ASUS’s systems were pushing the backdoor to customers for five months before the attack was discovered.
According to the Lab’s estimate, over 57,000 users of its products installed the backdoor, which was distributed to 1 million Windows machines eventually, even though the attackers seemed to have been targeting just 600 machines. The malware was designed to search for machines by their MAC address. Once on a system, the malware searched for the targeted systems and reached out to the command-and-control server controlled by the attackers, which then installed additional malware on those machines.
The trojanized utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time. The criminals even made sure the file size of the malicious utility stayed the same as that of the original one.
– Kaspersky Lab’s blog post
18% of those affected by the attack were from Russia, while roughly 16% were from Germany, another 12-14% were from France. “In principle, the distribution of victims should match the distribution of ASUS users around the world..”said Kapersky Lab.
Although precise attribution is not available at the moment, certain evidence we have collected links this attack to the ShadowPad incident from 2017. The actor behind the ShadowPad incident has been publicly identified by Microsoft in court documents as BARIUM.
— Costin Raiu (@craiu) March 25, 2019
Increasing supply chain attacks
“We believe this to be a very sophisticated supply chain attack, which matches or even surpasses the Shadowpad and the CCleaner incidents in complexity and techniques,” Kaspersky wrote in its blog. Kaspersky said that it discovered the attack using its new supply-chain detection technology to catch anomalous code hidden in legitimate code that was hijacking normal operations in a machine.
According to Engadget, supply chain attacks and specifically update servers are increasing. Microsoft underwent a similar attack in 2012 when hackers distributed a spying tool called Flame via the Windows updating tool. Other popular apps like CCleaner and Transmission have been compromised and unwittingly distributed malware to users.