It was recently discovered and reported by Russian cybersecurity firm Kaspersky Lab that ASUS’ software update service was hacked by a still-unknown hacking group that exploited this channel to infect over 1 million computers from the manufacturer with malware.
Motherboard, the publication from Vice, was the first to report the attack to the Taiwan-based manufacturer based on information provided by Kaspersky Lab’s research team.
The Numbers
Security experts from the Russian firm found that over 1 million computers from ASUS were affected by the malware-infected software update coming right from the manufacturer’s servers.
Operation ShadowHammer, as dubbed by the Kaspersky Lab team that discovered the attack, aimed ASUS’ supply chain, a practice that is getting more and more common among cybercriminals.
Interesting enough, it seems like the hackers didn’t want to steal data from all users but only targeted a select few through their MAC addresses. The team’s efforts showed that more than 600 unique MAC addresses were the real goal, concluding this after studying 200 samples of the malicious update.
In terms of Kaspersky Lab users, there are, at the very least, 57,000 users who installed the malware-infected update from ASUS servers.
Operation ShadowHammer, according to the report, was fully working for five months, allowing the malware to spread to a considerable amount of Windows-based devices.
Supply-Chain Attacks
Supply-chain attacks are growing in popularity, proven to be an effective way to spread malware even before the product reaches the user’s hands.
Materializing the crime by disguising the malicious agent with legit-looking certificates or directly coming from vendors’ sources seems like the perfect plan for cyber attacks.
Indeed, vendor software updates are a highly-efficient channel for cybercriminals to attack a major number of users almost simultaneously. Users trust, in the majority of cases, in the manufacturers when the time of installing updates come (especially security-related updates), which leaves a door open for hackers to exploit.
There’s Nowhere to Run
Investigations continue to determine the real impact of the attack. One of the most interesting facts to know is how many users were actually infected by the malware, especially now when we are talking about 1 million.
The US, Germany, France, Russia, and Italy are among the most affected countries so far.
This successful attack on the company’s live software update tool is a major red flag for both manufacturers and users. This kind of attacks is too difficult for the average (or even to the above-average) user to prevent as legit certificates were used by the update.
Kaspersky Lab is planning to present a fully-comprehensive report on the attack during April’s Security Analyst Summit that will take place in Singapore next month. The Russian firm, as an effort to mitigate the attack’s impact, has released an automated tool for its users only to check if they have been victims of the so-called Operation ShadowHammer.