Operation ShadowHammer – ASUS is the last victim of a clamorous supply chain attack that delivered a backdoor to more than one million users, Kaspersky Lab reported.
Over 1 million ASUS users may have been impacted by a supply chain attack that leveraged the ASUS Live Update utility to inject a backdoor in ASUS systems.
Kaspersky tracked the attack as Operation ShadowHammer, it took place between June and November 2018, but experts discovered it in January 2019.
“In January 2019, we discovered a sophisticated supply chain attack involving the ASUS Live Update Utility. The attack took place between June and November 2018 and according to our telemetry, it affected a large number of users.” reads the analysis published by Kaspersky Lab.
The ASUS Live Update utility is pre-installed on most ASUS computers, it allows the vendor to automatically update several components, including drivers, BIOS, UEFI, and applications. Hackers also digitally signed their malware with a stolen digital certificate used by ASUS to sign legitimate binaries, a technique already observed in other supply chain attacks such as the CCleaner and ShadowPad hacks
Experts pointed out that Operation ShadowHammer was a targeted attack that surgically hit only 600 specific MAC addresses, but Kaspersky couldn’t determine the exact number of users who installed the tainted utility.
Based on Kaspersky’s statistics, over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time. Experts estimate that the extent of the problem is huge and it is possibly affecting over a million users worldwide.
“The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses.” continues Kaspersky.
“To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.”
Threat actors behind the Operation ShadowHammer delivered a signed version of the backdoored versions of ASUS software. The software was hosted and distributed through the official ASUS update servers, experts defined this supply chain attack very sophisticated.
“While this means that potentially every user of the affected software could have become a victim, actors behind ShadowHammer were focused on gaining access to several hundreds of users, which they had prior knowledge about,” Kaspersky Lab continues.
Once the backdoor is executed on a victim’s device, the malicious code would check the MAC address against a list of addresses. If the MAC address is in the list it continues the infections, otherwise, the malware remains hidden.
Attackers used a modular approach and extra precautions when executing code to avoid detection. Kaspersky experts argue attackers are very advanced and their arsenal reflects a very high level of development within the group.
Kaspersky experts attribute the attacks to the BARIUM APT group, the same threat attacker behind the ShadowPad and CCleaner supply chain attacks.
The BARIUM APT is believed to be under the Winnti umbrellaalong other APT groups, including Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, LEAD, PassCV, Wicked Panda, and ShadowPad. The groups show similar tactics, techniques, and Procedures (TTPs) and in some cases shared portions of the same hacking infrastructure.
Below the geographic distribution of the victims of Operation Shadowhammer.
According to Kaspersky at least other three vendors in Asia were hit with similar attack techniques.
“The selected vendors are extremely attractive targets for APT groups that might want to take advantage of their vast customer base,” said Vitaly Kamluk, Director of Global Research and Analysis Team, APAC, at Kaspersky Lab. “It is not yet very clear what the ultimate goal of the attackers was and we are still researching who was behind the attack.”
Kaspersky has released a tool to allow users to determine if they were impacted, the company also plans to provide additional info on the incident at its SAS 2019 conference.