Asus: Yo dawg, we hear a million of you got pwned by a software update. So we got you an update for the update
PC maker emits legit version of its driver, BIOS upgrade util after supply chain hijack
Asus has released an update for its software update utility to rid about a million of its notebooks of a spyware-laden software update pushed to victims by its software update system.
And breathe in.
The Taiwanese PC giant on Tuesday published a fresh clean version of Live Update, which is a tool that keeps firmware driver and BIOS software up to date, and is bundled with Asus computers. Users should download and install it. Between June and November last year, during a cyber-espionage campaign dubbed ShadowHammer, someone broke into Asus's software update servers, and hid a backdoor in a copy of Live Update.
When about a million Asus laptops checked in automatically for software updates, they downloaded from Asus's systems the dodgy copy of Live Update, which was cryptographically signed using Asus's security certificate, and had the same file length as a previous legit version, so everything looked above board, and then installed it. In effect, these machines were inadvertently fetching spyware over the internet from Asus's servers, and running it. The compromised utility was designed to snoop on roughly 600 targets, identified by network MAC addresses hardcoded in the binary. Thus hundreds of thousands of Asus notebooks got a dormant backdoor in a compromised download of Live Update, and a few hundred were actively spied on.
Now Asus has emitted a non-spyware-riddled version of Live Update for people to install on its notebooks, which includes extra security features to hopefully detect any future tampering.
Spyware sneaks into 'million-ish' Asus PCs via poisoned software updates, says KasperskyREAD MORE
"Asus Live Update is a proprietary tool supplied with Asus notebook computers to ensure that the system always benefits from the latest drivers and firmware from Asus. A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group," Asus said today in a statement.
"Asus customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed.
"Asus has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism.
"At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future."
Asus also said it had created a scanning tool [.zip file] to let customers check if their PC is among those afflicted. Presumably that download is malware free.
Symantec also confirmed its antivirus tools, like Kaspersky's, had detected the backdoored Live Update on its customers' systems. Kaspersky is due to publish a full report into the shenanigans.
From the wording of Asus's statement, the PC maker seems more concerned about the tampering of downloads while they are in transit, effectively thwarting man-in-the-middle attacks. Yet Kaspersky claimed the backdoored utility was hosted on Asus's update server, meaning the code was nobbled at the source rather than while going over the wire. Asus's efforts to prevent man-in-the-middle fiddling is all well and good, as long as the PC slinger has also sufficiently shored up the security of its download servers, so updates can't be poisoned again.
Also, Asus implied in its statement that ShadowHammer was carried out by an unnamed nation's spies against a particular organization or entity rather than random netizens. It described the intrusion as the work of an advanced persistent threat, which it defined thus:
Advanced Persistent Threat (APT) attacks are national-level attacks usually initiated by a couple of specific countries, targeting certain international organizations or entities instead of consumers.
The fact that network adapter MAC addresses were baked into the backdoored Live Update build suggests the snoops behind ShadowHammer were well aware of the internal operations of their target.
Tim Erlin, veep of product management and strategy for security house Tripwire, noted that Asus did not answer many of the questions netizens will have about the attack, and how they should deal with it.
"While Asus may have released a fix, if you’ve already been compromised that might not be enough. Affected users need to find out whether the attackers have actually targeted them, and then they need to assess the extent of the compromise," Erlin told The Register.
“This attack leveraged a very broad platform, the Asus updates, but then strategically targeted a small set of those initially compromised for further attack. The fix from Asus doesn’t help us understand who was targeted and why."
This supply-chain infiltration should not put you off installing security updates from manufacturers and software makers. The advice from experts is keep those automatic patches coming, as these sorts of attacks are extremely rare, though not unheard of, while exploits that hit known vulnerabilities, for which fixes are available, never go away. ®