Asus' Live Update system breached to distribute malware to hundreds of thousands of users

Hackers digitally signed the malicious file with ASUS' own code-signing certificate

Asus' Live Update system has been breached by hackers, enabling them to send malware to hundreds of thousands of PCs, in a supply-chain attack reminiscent of the Ccleaner breach in 2017.

The attack was first identified by Kaspersky Lab researchers in January 2019. The attackers breached the backend of Asus ' automated Live Update software between June and November last year, resulting in the installation of a backdoor called 'ShadowHammer' on a large number of Asus computers.

Asus Live Update utility, which is pre-installed on most Asus systems, is used to automatically update a number of components, including UEFI, BIOS, applications and drivers.

However, the attackers did not attempt to infect every machine that could potentially have been compromised.

According to Kaspersky researchers, following an examination of more than 200 samples of the malicious updates, they found that the attackers only targeted around 600 specific computers, identified by their MAC addresses. The list of the targeted MAC addresses was included in the malicious code.

"Of course, there might be other samples out there with different MAC addresses in their list," the researchers cautioned.

Kaspersky said that about 57,000 of its users downloaded the malicious version of Asus Live Update. They also estimated that the malicious update tool could have affected more than one million users in total.

Rival security firm Symantec also identified 13,000 of its users hit with the malware.

Researchers haven't definitively attributed the attack to any specific APT group so far, but based on the evidence collected, they have pointed the finger at the BARIUM APT group, who are also thought to have been behind the Winnti backdoor. This was used in attacks on German industrial companies in December 2016.

The BARIUM APT has been linked with the Chinese state, while Asus is one of the biggest companies in Taiwan, an independent state that China nevertheless claims.

According to the Motherboard, which first reported the news, the hackers digitally signed the malicious file with Asus ' own code-signing certificate, which enabled the file to appear as an official software update from Asus and to remain unnoticed for a long time.

The backdoored tool was then pushed to Asus ' download servers, which hosted it for several months last year. The malicious updates were installed on Asus computers, which applied the updates by default.

Kaspersky has advised people using the Asus Live Update Utility to update it without any delay. It has also released a tool for users to check whether their devices were specifically targeted by the ShadowHammer.