What happens when legitimate software distribution channels are hacked? Asus has found out the hard way after it was revealed that about a million PCs were infected during the second half of last year. The attack, dubbed ShadowHammer by Kaspersky Labs who discovered it, was revealed to Asus in January who decided to not notify its customers.
The threat actors were able in infiltrate Asus’ update services, used to distribute BIOS, UEFI, and software updates to ASUS laptops and desktops, and modify the ASUS Live Update Utility to deliver a trojanised payload. Although the tainted ASUS Live Update Utility may be on your computer, it specifically targeted a pool of about 600 computers identified by their MAC address.
According to Kaspersky the tainted software was signed with a legitimate certificate, such as those signed by “ASUSTeK Computer Inc”, which is why it was able to escape detection from June and November 2018. It was only discovered when Kaspersky developed a new tool for detecting supply chain attacks.
In a supply chain attack, threat actors don’t target endpoints directly. Instead, the go to places endpoints trust. This attack on Asus’ update servers is the equivalent of directly infecting an audited and curated app from an app store.
While the attack may have infected up to a million computers, the ac dual target was much smaller. According to a report, “The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses”.
And, while the attack targeted users across the world, it doesn’t seem Aussie users were affected. But given the travel patterns of people, it’s worth checking your computer for an infection all the same.
So, while the Trojan may be widespread, it is likely to only be weaponised in a very small number of instances. This suggests it might be part of a wider coordinated effort or a proof-of-concept for a larger attack.
If you suspect that you’ve been infected with ShadowHammer, Kaspersky has released a tool that can help you check.