ASUS Live Update Utility cracked, installs ShadowHammer backdoor on 1M PCs, but only 600 targeted

Credit to Author: Woody Leonhard| Date: Mon, 25 Mar 2019 09:28:00 -0700

Great way to wake up on Monday morning, especially if you own an ASUS machine.

Kaspersky just published a teaser for a more thorough explanation to come in two weeks at the Kaspersky Security Analysts Summit in Singapore. It’s quite an eye-opener.

Apparently somebody broke into the ASUS update servers, and swapped out a valid software/firmware update with one of their own. The bogus update looked like the genuine thing, with a valid certificate, and its size matched the original’s size. As a result, the bad update stayed on ASUS’s servers “for a long time.”

How bad is it? Kaspersky isn’t handing out many details, but the teaser (which reads like a PR release) is quite compelling. Kaspersky calls it Operation ShadowHammer

The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation.

Kaspersky notified ASUS of the malware on Jan. 31.

According to our statistics, more than 57,000 users of Kaspersky Lab’s products have installed the backdoored utility, but we estimate it was distributed to about 1 million people total.

Sounds bad enough, but there’s yet another teaser on the tail end of the original teaser:

While investigating this attack, we found out that the same techniques were used against software from three other vendors.

Not a breath of which “three other vendors” are involved.

Bottom line: Unless you have an ASUS machine with one of the 600 hard-coded network adapter MAC addresses, there’s nothing to worry about. As for the three other vendors, who knows?

You can file this away in the same bucket with Spectre, Meltdown and other Glitter Glam malware. It’s great theater, and sure to draw lots of attention, but in the end unless you’re defending state secrets, nuclear launch codes or weighty bitcoin wallets, it doesn’t mean much.

PR release – check
Catchy name – check
Commercial tie-in – check
Custom logo – not yet

We’re following the spectacle on AskWoody.

http://www.computerworld.com/category/security/index.rss