On Monday , we take in once again how crook can overwork corporate trust and habituate it as a weakness .
Cybersecurity newsman Kim Zetterrevealedthat one of the world ’s largest computer manufacturers , Taiwan - base ASUS , had mistakenly instal a backdoor program dubbed “ ShadowHammer ” onto the computers of thousands of customers after hackers infiltrate the company ’s automatise computer software update system .
expert offering initial estimates suggest the trojanized update may have affected up to half a million Windows political machine . Kasperskyreported57,000 users of ASUS ’s production were attacked , “ but we estimate it was deal out to about 1 million people total . ” Symantec telemetry showed 13,000 infections ( 80 percent of which were consumer , not organizations ) . The full scope of the attack has yet to be established .
The attacker ’s need remains unclear , but Kaspersky noted that 600 MAC address were specifically targeted , even though the malicious update involve far more .
Gizmodo has reached out ASUS for a comment and we ’ll update as soon as one is provided . Zetter said she first reach out to ASUS on Thursday but had yet to get a reply .
If you want to sleep together if your ASUS organisation was one of the 600 the hacker were targeting with that backdoor@kasperskyLab has a web site where you could checkhttps://t.co/WLhSJICHGi ; if you do n’t require to infix your MAC address in that site they also have a tool you could persist
— Kim Zetter ( @KimZetter)March 25 , 2019
ShadowHammer is what ’s known as a supply - chain attack — when hacker compromise targets by injecting malicious code into the hijacked computer software update of a third - party armed service . On mediocre , businesses are far less mistrustful of these update because they ’re deployed by vendors whose package is already trusted . Applying updates is also something IT professionals are told to do flop away , as they routinely take surety plot of ground intend to make a product safe .
This form of transitive trust is becoming increasingly precarious due to an uptick in supplying - chemical chain attacks , as several death - of-2018 analyses on the evolving threat landscape described . Symantec , for example , find that supply - chain attacks had increase by78 percentcompared to the old year . noteworthy incidents involvedCCleaner , a widely used security clean up tool , and thenotPetyaattacks , in which a payload was come in into Ukrainian accounting computer software .
remark that the malicious single file was bless using ASUS ’s digital credential and distributed through prescribed channels , a research and analysis director at Kaspersky told Zetter that the incident illustrates “ that the trust model we are using based on fuck vendor figure and establishment of digital signatures can not guarantee that you are secure from malware . ”
As she noted , ASUS has previouslysettled chargesbrought by the Federal Trade Commission ( FTC ) over vulnerabilities in its routers — flaws that it was impeach of concealing from consumer for a year or more — by promising to “ establish and preserve a comprehensive security system program subject to independent audited account for the next 20 year . ”
It ’s too early to tell whether the FTC will take action and inquire this incident , or whether it will view it a violation of its former order . ( The FTC Act empowers the charge to seek civil penalty and/or injunctive alleviation when companies despoil such agreements . )
“ While enquire this attack , we found out that the same techniques were used against package from three other vendors . Of course , we have notified ASUS and other companies about the attack , ” reported Kaspersky , which also send word anyone using the ASUS Live Update Utility to update it at once .
A technological paper revealing more about ShadowHammer will be released , the ship’s company said , during the Kaspersky Security Analyst Summer next month .
[ Motherboard ]
Update , 3/27 : ASUS released the following statement :
ASUS Live Update is a proprietary pecker add with ASUS notebook computers to ascertain that the system always benefits from the latest drivers and firmware from ASUS . A small number of gimmick have been imbed with malicious code through a sophisticated attack on our Live Update host in an effort to target a very belittled and specific user group . ASUS customer service has been get to out to affected users and leave assistance to ensure that the certificate risks are transfer .
ASUS has also implemented a fix in the latest version ( ver . 3.6.8 ) of the Live Update software , introduced multiple security verification mechanism to forbid any malicious manipulation in the form of software program updates or other means , and implement an enhanced end - to - end encryption mechanism . At the same meter , we have also updated and strengthened our server - to - close - user software computer architecture to prevent alike onset from happen in the hereafter
ASUS also released anonline symptomatic toolwhich it says can be used to moderate for touched systems . ( Use at your own delicacy . )
AsusSecurity
Daily Newsletter
Get the best tech , science , and culture news in your inbox day by day .
News from the future , delivered to your present .
You May Also Like
