… watch this space … more to come. It wouldn’t surprise me if this is a lot bigger than first realised.
Although precise attribution is not available at the moment, certain evidence we have collected allows us to link this attack to the ShadowPad incident from 2017. The actor behind the ShadowPad incident has been publicly identified by Microsoft in court documents as BARIUM. BARIUM is an APT actor known to be using the Winnti backdoor. Recently, our colleagues from ESET wrote about another supply chain attack in which BARIUM was also involved, that we believe is connected to this case as well.
… this could be ‘interesting’ …
Kaspersky’s SecureList website really hates ad-blockers! It must source all its images from another domain.
I had to immediately go and check my ASUS laptop, to confirm that I had indeed disabled this software when I first got the device. (A good habit to get into is disable any software like this, and do your own updates.) That said, it is not a supply chain attack as the user has to go and get the software! Poor work, Kaspersky - you generally do better than this (i.e. I trust a Russian company as much as I do a US company).
EDIT: I have revisited the Kaspersky and SecureList websites, and it is now unclear to me whether this is a supply chain attack or not! The former has few details and refers to the malware being hosted on ASUS servers; the latter has a few more details, but does not refer to where the malware was hosted.
The Motherboard article relies extensively on the two Kaspersky websites, but also states that ASUS denied its server being compromised to Kaspersky and has not responded to Motherboard’s enquiries.
And now ASUS has confirmed it, per @draughtrider below.
Asus spake thus:
Avira had this to say …
Many were sent, some installed it
The success rate for the bogus update looked like the traditional sales funnel: Early estimates are that it was sent to over a million devices and several hundred thousand devices are believed to have actually installed it. “So far at Avira, we’ve seen more than 438 thousand executions of the initial installer by Asus customers,” stated Vukcevic. “The second stage PE file, which contains the malicious code and will be executed by the installer, is already flagged by Avira as “TR/ShadowHammer.ME” with the current pattern update.”
Were only 600 chosen?
The most interesting part of this story is that out of the hundreds of thousands of estimated infected devices, only a few hundred were targeted for additional malware. The initial installer identified these computers by their MAC address, the device identification number for each device. Once it had successfully fingered these devices, it reached out to a command and control center for an additional, second stage dose of malware for them.
Avira research has shown that the list was small, but that this list also changed with various renditions of the malware. “The June 12 binary only contains a very short list of MAC addresses, but there were updates to the malware binary that continued to receive more MAC numbers every time,” added Vukcevic:
This supports the scenario that the attackers’ goal was to get into specific victims’ devices on an “as needed” basis – not to widely distribute malware and monetize their work via bank fraud of a ransomware attack.
Was it a bug or a strategy in the malware?
The malware’s construction took a strange turn after June 23 when the primary stopped working. “All modified versions of the ASUS setup executable after this time contained an invalid EXE resource where the malware code at the beginning of the file is overwritten with random bytes,” explained Vukcevic. “It could be the campaign ended and the malicious binary was replaced by the authors or that Asus somehow prevented the malware from retrieving the desired payload — either way, it stopped working.”
… curiouser and curiouser …
My weekly security podcast addressed this in the current episode, and while the nerd disagrees with my thoughts he has a different explanation. I have now come up with a third, based upon the various issues in this ‘attack’:
- The malicious software was on two ASUS servers. Someone had to be able to access both servers, or modify the software before it went to the servers but after QA was complete.
- The software was compromised for five months. During this time, its validly issued by ASUS security certificate expired - and the malicious software was re-signed using another security certificate issued by ASUS. (Your private certificate, which is used for signing software, websites etc. is kept super-secure, because if you lose control of it anyone can impersonate you online!)
- The malware targeted specific MAC addresses. These are broadcast when you’re on a WiFi network, but if the laptop is sitting at home not so easy to find. In order to get a list of more than 600 specific MAC addresses, you would need to have a bunch of intelligence - thus a state actor. Alternatively, you have access to ASUS sales records. Which means either an advanced persistent threat in ASUS networks, or a state actor.
The alternative to ASUS being ‘compromised’ by an advanced persistent threat is quite obvious. An intelligence agency such as the NSA has the power to order companies to insert back doors in their software, as well as to order them to keep quiet about the order. So:
- the NSA goes to ASUS (and quite possibly other computer manufacturers) and says “we need to see everything that’s on the computers owned by [list of targets]”.
- ASUS says “we can’t do that, we don’t know how to identify these targets”.
- NSA gives details of targets, ASUS is able to identify possible computers owned by them.
- ASUS delivers software update to all its laptops, but specifically listing those MAC addresses owned by the potential targets for additional software (the malware).
- The NSA says “thank you very much”, and goes to its next manufacturer on the list.
- Several months later, an AV company identifies that its users with ASUS LiveUpdate got a bad copy during 2018, investigates, and starts calling out a ‘supply chain attack’.