Kaspersky have identified backdoor malware being sent out from ASUS servers via it’s trusted automatic software update tool. The malware was inserted via a compromised server used to send out the software updates.

Legitimate Malware

The malicious tool was sent out by a compromised server to about 500,000 users, and was signed as genuine by the server, allowing it to silently slip past antivirus software.

Kaspersky say the backdoor Malware was being distributed to is for at least five months before it was discovered.

Interestingly, the malware appears to have been designed to target a very small number of individual machines, using their MAC address (a unique number assigned to the network card in the machines) to identify them.

Once installed, the malware checked the MAC address and, if it matched an identifed address, it connected to another server under the hackers control to download additional malware.

Supply chain attacks

This is not the first supply chain attack, indeed that method of attack is on the increase.

CCleaner, the security cleanup tool, had it’s update server compromised and was found to be delivering malware to is users via the in-app update mechanism. More than 2 million users were infected before it was discovered.

The most infamous attack of this type was the Russian backed notPetya malware that was sent out to Ukrainian businesses using the M.E.Doc accounting software. The attack very quickly spread affecting businesses globally.

In a similar attack in 2012, some Windows users were duped into downloading malicious software from a fake Windows update server.

ASUS response

Worryingly, ASUS have been very slow to respond to this attack, there’s been no official word from them and they have failed to notify their users of the attack.

Indeed it took them several weeks to stop using the compromised server, and they still have not revoked the compromised certificated used to sign the Malware as genuine.

ASUS have previously been accused of failing to protect its customers when multiple vulnerabilities were found in its routers, cloud storage and backup systems and it’s firmware update tools. It took the company over a year to address the vulnerabilities, leaving customers exposed to attacks and Malware that could have allowed attackers to take over their devices.


0 Comments

What are your thoughts?