Massive ASUS Update Software Breach Leaves Thousands Vulnerable To ShadowHammer Backdoor Attack

If you have an ASUS computer that is running the company’s Live Update utility, it’s possible that your system was susceptible to backdoor intrusions during the latter half of 2018. The folks at Kaspersky say that they first discovered the existence of Operation ShadowHammer on January 29^th, and has been performing forensic analysis on the security exploit ever since.

According to Kaspersky, ASUS Live Update, which is preinstalled on ASUS systems, was compromised, allowing Operation ShadowHammer to propagate between June 2018 and November 2018. ASUS Live Update is intended to allow users to easily update a system’s BIOS/UEFI, drivers and OEM apps. But holes in the software gave hackers a backdoor to users’ computers.

The security firm says that it determined that 57,000 of its customers unknowingly downloaded and installed malicious software using the tainted version of ASUS Live Update; however, the total potential infected population is much higher.

“We are not able to calculate the total count of affected users based only on our data; however, we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide,” said Kaspersky.

Interestingly, the cyberattackers perpetrating Operation ShadowHammer originally worked from a list of 600 targets (identified by their MAC addresses) that were hardcoded into the malware. Once the malware was loaded onto a system, it contacted a command-and-control server to download additional malware. By spreading through the ASUS Live Update service, the number of infected machines ballooned.

Kaspersky says that it first contacted ASUS about its findings on January 31^st. Kaspersky reportedly met with an official from ASUS on February 14^th for a debriefing on Operation ShadowHammer, but Motherboard states, “the company has been largely unresponsive since then and has not notified ASUS customers about the issue.”

Symantec separately confirmed Kaspersky’s findings, with Liam O’Murchu telling Motherboard, “We saw the updates come down from the Live Update ASUS server. They were trojanized, or malicious updates, and they were signed by ASUS.”

“Supply chain attacks are in the ‘big deal’ category and are a sign of someone who is careful about this and has done some planning,” added Tony Sager, SVP for the Center for Internet Security. “But putting something out that hits tens of thousands of targets when you’re really going only after a few is really going after something with a hammer.”

At this time, there is no official update from ASUS on Operation ShadowHammer or how it hopes to proceed with informing customers who were compromised, or what steps it will take to ensure that exploits like this aren’t taken advantage of in the future.