SAS 2019 ShadowHammer: Malicious updates for ASUS laptops Our technologies detected a threat that seems to be one of the biggest supply-chain attacks ever. Bender the Robot March 25, 2019 Thanks to a new technology in our products that is capable of detecting supply-chain attacks, our experts have uncovered what seems to be one of the biggest supply-chain incidents ever (remember CCleaner? This one’s bigger). A threat actor modified the ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility, and then distributed it to users through official channels. The trojanized utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time. The criminals even made sure the file size of the malicious utility stayed the same as that of the original one. According to our statistics, more than 57,000 users of Kaspersky Lab’s products have installed the backdoored utility, but we estimate it was distributed to about 1 million people total. The cybercriminals behind it were not interested in all of them, however — they targeted only 600 specific MAC addresses, for which the hashes were hardcoded into different versions of the utility. To check if your MAC address is on the target list, use our tool, which you’ll find at https://shadowhammer.kaspersky.com/. While investigating this attack, we found out that the same techniques were used against software from three other vendors. Of course, we have notified ASUS and other companies about the attack. As of now, all Kaspersky Lab solutions detect and block the trojanized utilities, but we still suggest that you update the ASUS Live Update Utility if you use it. Our investigation is still ongoing. If you want to learn more about one of the biggest supply-chain attacks ever, dive deep into technical details, see the IOCs, understand who the targets were, and get some advice on how to protect yourself from supply-chain attacks such as this one, we suggest visiting the SAS 2019 — the warmest security conference opens its doors on April 8 in Singapore. There we’ll have a talk dedicated to the ShadowHammer APT with a lot of interesting details. The tickets are almost sold out, so you’d better hurry. Alternatively, you can read our full report, which will also become available during the SAS, on securelist.com. Stay tuned!
Read next Transatlantic Cable podcast, episode 83 The latest on the Norsk Hydro ransomware plague, the EU preparing for EU-wide cyberattack, a snafu with Sprint, and more.
Tips How to set up security and privacy in Strava Want to keep your runs, rides, and hikes private on Strava? This guide will walk you through the essential privacy settings in this popular fitness app.
Tips Run for your data: Privacy settings in jogging apps Running apps know a lot about their users, so it’s worth setting them up to ensure your data doesn’t fall into the wrong hands. Here’s how.
Tips When you get a login code for an account you don’t have What to do if you receive a text with a two-factor authentication code from a service you’ve never registered for.
Tips School and cyberthreats Why cybersecurity in education is critical, and how to protect schools from attacks.