Operation ShadowHammer hijacks ASUS Live Update to install backdoor

Cyber attackers have hijacked ASUS Live Update and downloaded a back-doored version to thousands of ASUS PCs last year. The utility is pre-installed on most ASUS computers and is used to keep ASUS PCs up-to-date with latest firmware, drivers and applications.

Security researchers from Kaspersky Lab discovered the sophisticated supply chain attack dubbed “Operation ShadowHammer” in January 2019 and said the attack took place between June and November 2018. The company reported the attacks impacted a large number of users.

According to the newly released report on Monday, the cyber attack “matches or even surpasses the Shadowpad and the CCleaner incidents in complexity and techniques.”

The Kaspersky researchers also attributed part of the reason the attacks went undetected for so long was due to the trojanized updaters were signed with legitimate certificates (e.g., “ASUSTeK Computer Inc.”).

Approximately 57,000 users have downloaded the compromised version of the ASUS Live Update, but many more users could have been impacted according to the report.

“We estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide,” Kaspersky added.

The cyber attack appears to have targeted an “unknown pool of users” that were previously identified via the systems’ network adapter MAC addresses. The list of MAC addresses were then hard-coded into the trojanized versions of the utility used for future targets.

The Kaspersky team also attributed the attack to the ShadowPad incident from 2017 that was used to plant backdoors in connectivity tools. Cisco’s Talos security team also discovered a similar supply chain attack that impacted CCleaner the same year.

If you own an ASUS computer, Kaspersky Lab has created a tool to help detect whether your system was one selected as a target for the attack.