Posted on March 26, 2019 at 1:23 PM
Hundreds of thousand of Asus computer systems have been compromised and customer targetted by hackers who pushed a backdoored update tool from Asus’ own servers!
The bombshell reports of Asus’ own servers pushing a backdoor that hackers have used to target and compromise hundreds of thousands of computers systems was first reported by Motherboard. The report states that the hackers were able to digitally sign the Asus Update tool by using one of the companies own code-signing certificates.
All this and the hackers managed to push it to the Asus servers where they were hosted for months on end last year. These malicious updates were then pushed to all Asus computers that used it, which would have been a large number as the software was installed by default on all the computers they sold.
Techcrunch has verified Motherboards reporting of the story, via a source that has direct knowledge of the breach in Asus security.
Kaspersky first to the scene
Kaspersky, the Russian security software popular around the world, was the first to find the security breach said that it could affect up to one million end users of Asus hardware. They identified what the backdoor was doing. It was scanning the device it was on for the unique MAC address. It would then pull malicious code from a command and control server. No one is able to confirm what that malicious code is at this time of writing.
Motherboard’s report did mention that the code was scanning for 600 unique MAC address so that security experts do think that this was a targetted attack, and not a backdoor used to infect as many people as possible. It has also made it more difficult to find out what the malicious code that was downloaded onto those specific 600 machines was meant to do.
Symantec, the company known best for their popular Norton AntiVirus that dominated the anti-virus market for years, has backed up the research done by Kaspersky. Spokesperson Jennifer Duffourg spoke to Techcrunch and confirmed that their findings described it as a software supply chain attack. She added that the version of the software with the trojan code as part of it was sent to customers between June and October. She added that 13000 users of their security software had been affected by the software between June and October.
Attackers had access to Asus certificates say security insiders
Security experts say that the hackers had to have had Asus’ own certificates to sign the malware through Asus’ supply chain. These so-called supply chain attacks are extremely difficult to detect and trace. There is a line of developers and vendors around the entire world that is trusted to develop software and supply components.
The problem today is that the certificate used for the attack, which was a new mid-2018 certificate, is still active. This poses a threat to Asus customers and should be taken down immediately according to security experts.
Asus spokesperson Gary Key had no answers point to a press release that was being prepared by Asus to answer any questions that might be brought up. This is not the only time that Asus does not keep a clear line of communication with its customers. They failed to inform customers of the vulnerability despite being informed of the vulnerability by January 31st.