ASUS confirms server compromise, releases fixed Live Update tool
ASUS has finally confirmed that its servers were compromised and that its ASUS Live Update tool has been tampered with, as revealed on Monday.
“ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future,” the company announced.
They have also offered a diagnostic tool users can run to check whether their system has been affected, and advised those who have been saddled with the backdoored version to backup their files and restore the OS to factory settings.
“This will completely remove the malware from your computer,” the company claims.
Whether affected users want to put their trust in them again is another matter.
As a sidenote: in 2016, ASUS settled with the FTC a complaint regarding the poor security of their routers. As part of the settlement, the company committed to establishing and maintaining a comprehensive security program subject to independent audits for the next 20 years.
But it’s uncertain whether ASUS will extend that commitment to cover its computer business. (ASUS says that only the version of Live Update used for notebooks has been affected.)
No credit for the researchers
ASUS failed to acknowledge Kaspersky Lab for their work in unearthing the compromise and notifying them.
In fact, it is possible that they would have not gone public with the information if Kaspersky hadn’t.
The company also tried to downplay the extent of the damage, saying “a small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group.”
Both Kaspersky Lab and Symantec estimate that the number of implanted systems might have reached 1 million, if not higher.
It also seems that the number of systems that have been implanted with the second-stage backdoor might also be much higher that 600.
Apparently, one of the MACs targeted by #ShadowHammer is used on thousands of hosts: it is VMware VMNet8 adapter with default MAC 00:50:56:C0:00:08. If you got one of those – don’t freak out. You were probably just a collateral target. Check if you ran ASUS Live Updater in 2018.
— Vitaly Kamluk (@vkamluk) March 26, 2019
As a reminder: Kaspersky Lab has also released a tool that checks for the implant (there’s an online version, too) and has asked those affected to get in touch so they might analyze the malware and, hopefully, gain more insight into the targets the attackers were after.