ASUS laptops infected by the “ShadowHammer” malware were targeted by the People’s Republic of China. At least, that’s the implication of a Kaspersky Lab researcher.
Mind you, Kaspersky is alleged to be rather close to a certain other state. So a pinch of salt might be indicated.
Whoever’s responsible, there are worrying implications for the future of state-sponsored cyber-ops. In this week’s Security Blogwatch, everything looks like a nail.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Tim Burton.
ASUS’ suspicious PRC APT
What’s the craic? Caroline Haskins has ASUS Confirms It Was Used to Install Backdoors on Its Customers' Computers:
[On Monday we] revealed that Taiwanese computer hardware company ASUS was used to install backdoors. [On Tuesday] ASUS confirmed [it] in a press release.
…
Kaspersky Lab claimed they found the malware, which it dubbed ShadowHammer, on 57,000 computers. However, the company estimates that many more devices may have been compromised.
…
[The] backdoor was being pushed to Windows machines for at least five months in 2018. The backdoor was discovered by Kaspersky Lab in January 2019.
Xzibit A? Shaun “memecursion” Nichols joins in—Yo dawg, we hear a million of you got pwned:
So we got you an update for the update.
…
When about a million Asus laptops checked in automatically for software updates, they downloaded from Asus's systems the dodgy copy of Live Update, which was cryptographically signed using Asus's security certificate … so everything looked above board. … The compromised utility was designed to snoop on roughly 600 targets.
…
Asus implied … ShadowHammer was carried out by an unnamed nation's spies against a particular organization. … The fact that network adapter MAC addresses were baked into the backdoor … suggests the snoops behind ShadowHammer were well aware of the internal operations of their target.
…
This supply-chain infiltration should not put you off installing security updates from manufacturers and software makers.
What does ASUS have to say for itself? An anonymous PR flack offers this response to the recent media reports:
A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group. … As such it is extremely unlikely that your device has been targeted.
…
ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software. … Additionally, we have created an online security diagnostic tool to check for affected systems.
…
Only the version of Live Update used for notebooks has been affected. All other devices remain unaffected.
Kim Zetter—who broke the story Monday—ain’t at all impressed:
Everyone talks about the dreaded nightmare of supply-chain attacks. This is what a real-world supply chain attack from a vendor’s server looks like.
…
Kaspersky Lab researchers contacted ASUS Jan 31 and met … in person Feb 14. The company insisted the hack didn’t happen. When Kaspersky offered to help them with forensic to show it did, ASUS wanted them to sign NDA. The company went silent after that.
…
ASUS has finally released statement. Says only small number of machines infected (researchers say 500k+); also says it’s finally begun to notify customers.
…
They don’t bother to thank Kaspersky at all in statement. … I think it’s safe to say they would have remained silent about this if Kaspersky had not gone public.
…
So the question is, who will verify this? Under its previous settlement with the FTC in 2016 for poor security practices, ASUS agreed to independent audits for the next 20 yrs. Will this patch and new security measures get an independent audit?
But Lost Race loses their excrement: [You’re fired—Ed.]
So much facepalm.
…
Don't worry, the malware only "targeted" a small group of users. Never mind that malware ran with full admin privs on your computer undetected for months. You're totally safe because it didn't "target" you specifically.
And so much incompetence? flukus thinks the blame doesn’t lay entirely at ASUS’s feet:
Hardware companies are extremely incompetent at anything software related.
We see this in everything from PCs and phones (touchwizz, htc sense) right down to TVs and various IoT devices. I can't imagine what the PC industry would [look] like if luck hadn't delivered us an open platform.
So what about this state-sponsorship angle? Prof. Steven Bellovin calls it A Dangerous, Norm-Destroying Attack:
The implications are about as bad as possible. … Trust in the update channel is utterly vital. … If this scares people away from patching their systems, it will hurt the entire Internet, possibly in a disastrous way.
…
Whoever launched this attack was either not worried about such issues—or felt that the payoff was worth it. … (And we don't know who it is, though Kaspersky has tied it to the BARIUM APT, which some have linked to China.)
…
We desperately need international agreements on military norms for cyberspace. These won't be easy to devise nor to enforce, but ultimately, self-restraint may be the best answer.
On the other hand, NelsonMinar finds the restriction to 600 PCs is “sort of comforting”:
One danger of the growth of state-actor malware is that a lot of us could be collateral damage caught in the crossfire. This sort of precise targeting seems at least reasonably responsible. Stuxnet also had careful target selection.
But by whom? Here’s Kaspersky researcher Costin Raiu—@craiu:
In some cases, the #shadowhammer backdoor checks both the NIC and WiFi adapter MACs to identify the victim for further exploitation. Second stage is deployed only if both addresses match. It was really that targeted.
…
Previous BARIUM operations like #ShadowPad and CCleaner are possibly the main source of interesting MACs for this attack.
At which, this Anonymous Coward waxes insightful:
Maybe I'm just jaded but I assume ASUS had no option and the software was planted by a nation state using laws that force them to comply (and ban them from admitting or reporting it).
The most likely scenario is an embargoed nation who aren't allowed to buy the laptops, or software supplied with them. The nation state then sets up a company and sells the embargoed goods to the embargoed state.
This company makes a show about wiping them and proving they are not compromised. Laptops delivered then download the spyware.
Alternatively it could be that the 600 had spyware on them but were cleaned (sometimes those you spy on find out) and this is an attempt to re-implement the spyware.
Meanwhile, at least ASUS has finally released a patch, eh? Jonathan Crowe gently mocks:
Gotta love the double-or-nothing approach.
"Worried we installed malware? Try another download!"
The moral of the story?
Does your software have an auto-update mechanism? How trustworthy is it? How trustworthy do your users think it is?
And finally
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: torange.biz (cc:by)
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
