Your Asus computer might have a secret backdoor

Your Asus computer might have a secret backdoor

ASUS's Live Update utility was compromised by hackers to install malware on PCs, according to a new report from security firm Kaspersky Labs (via Motherboard).

Judging by information hard-coded in the malware, the attackers' aim was to compromise about 600 specific computers, but the malware it thought to have been ultimately delivered to over a million of users.

Interestingly, the cyberattackers perpetrating Operation ShadowHammer originally worked from a list of 600 targets (identified by their MAC addresses) that were hardcoded into the malware.

On Monday, researchers from Kaspersky Labs said the attack was first detected in January 2019.

The hack, which Kaspersky Lab is calling Operation ShadowHammer, went on between June and November 2018.

Live Update is a utility that allows Asus to push out driver, software, and firmware updates to PCs. The utility was signed with a legitimate certificate and the hackers even ensured that the hacked file size matched the original one.

More news: Nintendo is reportedly launching two new Switch models this summer

Kaspersky told our friends at TomsHardware that three other computer makers in Asia had also been "backdoored with very similar methods and techniques", but didn't name the companies. That said, Kaspersky has identified 57,000 of its own customers have installed the compromised ASUS Live Update utility, and the full breadth of people that have downloaded it could be upwards of one million, according to the firm's estimates.

Asus denied this when contacted by Kaspersky in January, telling the company that its servers were not compromised and that it had not hosted any malware.

"The malicious file pushed to customer machines through the tool was called setup.exe, and purported to be an update to the update tool itself", reported Motherboard, which had significant extra detail on the attack. "There were more than 13,000 that received trojanized update through Asus", a company spokesperson said in an email. So, roughly a million Asus-built computers may have been running a trojanized update utility, with a few hundred actively spied on via the backdoor.

The majority of victims are in Russian Federation, followed by Germany, France, and Italy.

Kaspersky Lab said it had created a tool to check if a user had been specifically targeted by the ShadowHammer advanced persistent threat.

What happens when legitimate software distribution channels are hacked? If the malicious update scanned a victim computer and located one of those MAC addresses, secondary malware would be loaded onto the machine from a server controlled by the hackers. Even though the investigation is still in progress, it's pretty clear that this supply-chain attack is a big deal.