When it comes to PCs, true security is a myth. Lest anyone need reminding of this, security firm Kaspersky dropped a bombshell on Monday, saying hackers were able to install backdoors on tens of thousands of PCs—and maybe even millions of systems—by pushing out firmware updates through Asus’s own Live Update software.
In security parlance, a backdoor is a way for an administrator to gain access to a system or data through a generally undocumented means. By their nature, backdoors are vulnerabilities that attackers can exploit, if they know about them.
Live Update is a utility that allows Asus to push out driver, software, and firmware updates to PCs. It comes preinstalled on many Asus-brand laptops and desktops, and is offered as a standalone download for the company’s millions of motherboards. Using Live Update is a convenient way to stay updated, and until now, has been considered safe.
It might not be as safe as we assumed, however. After Vice Motherboard ran a story on Kaspersky’s findings, the security firm clarified a few details in a blog post, saying that over 57,000 users of its antivirus software have downloaded and installed the compromised version of Live Update at some point in time.
“We are not able to calculate the total count of affected users based only on our data; however, we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide,” Kaspersky said.
Dubbed “Operation Shadowhammer,” the culprits may not have actually been targeting millions of users, but a comparatively select few.
“The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses … We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list,” Kaspersky added.
Kaspersky discovered the “sophisticated supply chain attack” in January of this year and found links to an attack from 2017. The company says one of the reasons it was able to go undetected all of this time is because the Trojanized updates were signed with legitimate security certificates from Asus, and were hosted on Asus’s official update servers.
Asus denied this when contacted by Kaspersky in January, telling the company that its servers were not compromised and that it had not hosted any malware. However, Kaspersky is not the only security outfit to trace the malware samples back to Asus.
Symantec, makers of Norton software, told Motherboard that it found another 13,000 computers with the malicious software update utility. That bumps the tally to 70,000, though the true number could be in the hundreds of thousands, or even millions, as Kaspersky surmises.
“We saw the updates come down from the Live Update Asus server. They were trojanized, or malicious updates, and they were signed by Asus,” said Liam O’Murchu, director of development for the Security Technology and Response group at Symantec.
Asus may not be the only one affected by this attack. Kaspersky told our friends at TomsHardware that three other computer makers in Asia had also been “backdoored with very similar methods and techniques,” but didn’t name the companies.