Posted on May 17, 2019 at 9:59 AM
Security firm ESET has released findings that hackers have been using ASUS’ WebStorage cloud service to deliver a particular malware known as Plead to unsuspecting victims. The researchers working for ESET say that the hacking group known as BlackTech Group has been using a combination of various security weaknesses in ASUS’ platform to manage this hack.
Attacks combine various hacks to infect computers
The BlackTech Group, which has been identified by Trend Micro as a group that specifically targets both governmental and private organizations across Asia, is using a complicated series of steps that ESET has not been able to fully understand as of yet. The group came into the limelight last year when it used stolen code-signing certificates from D-Link to authenticate itself cryptographically as trustworthy. Prior to that incident though, they used spear-phishing and compromised routers which served as their CNC server for the malware they distributed.
Initially, the security company researchers thought that the malware was part of yet another supply-chain attack owing to ASUS having suffered a similar attack not too long ago. However, the supply-chain attack theory was quickly disproved, showing that ASUS was able to close that particular loophole in their company.
However, this latest hack is a testament to how bad ASUS’ security team really is, as the hackers were able to hijack data sent from their cloud service due to it being unencrypted. Many in the security industry think that with the history of breaches that ASUS have had, they would make sure that all their services were as secure as possible.
The malware arrived on the victim’s computers as a file called AsusWSPanel.exe, which were being run as normal on users computers and where even digitally signed by ASUS WebStorage. This is what lead the researchers to suspect another supply-chain attack but for three notable occurrences.
First is that the service delivered clean binaries, in addition, to Plead executables, while there was zero evidence for the ASUS server being used as control servers for malicious code. This combined with the hackers using standalone files as opposed to packaging the malware within legitimate ASUS software showed the researchers that there was something else at play.
MitM due to unencrypted connections
While looking at the most likely scenarios that the attackers could be used to infect victims, they began to notice that the ASUS WebStorage software was extremely vulnerable to man-in-the-middle attacks due to the updates being requested over an unencrypted HTTP connection. Further to that, it was noted that the ASUS software did not validate the authenticity of the code it was downloading at all.
This then leads the researchers to the conclusion that BlackTech was managing to intercept the update process of ASUS WebStorage and pushing Plead to the target computer instead of the expected update. One more interesting tidbit that the researchers uncovered was that the routers being used by the organizations were for all intents and purposes the same. ESET declined to mention which company was responsible for these routers as they are still investigating this aspect of the hack. The researchers think that a portion of the attack might have been carried out by using fake DNS settings within the routers themselves, or possibly even something as complex as having tempered with the iptables.
It was the discovery of the link between the routers that led the ESET researchers to 100% dismiss the idea of a supply-chain attack and focus on the current working theory of a MitM attack. Currently, the company has traced the attack to 20 computers that have received the Plead malware. That is only the number of infected among the clients of ESET, and the researchers believe the number is possibly much higher.
This is the second time ASUS has been caught out in as many months, with the computer makers reputation taking more and more hits.