Wed. Jul 15th, 2020

ASUS servers were attacked, distributing backdoors to millions of users

2 min read

According to the latest research report released by Kaspersky Security Lab, ASUS official update server has been hacked and distributed ShadowHammer backdoor programs to users. From the type of attack, this kind of attack is also a supply chain attack, that is, attacking the provider program and then transmitting the Trojan virus to the user.

The well-known supply chain attack is the Avast CCleaner cleanup program, which affected tens of millions of users after being hacked last year. Although ASUS’s attack did not affect tens of millions of users were affected, more than 57,000 users have actually been infected with malware.

Image: securelist

This software is mainly ASUS official to provide users with BIOS / UEFI and software updates, for most ASUS devices should be pre-installed with this software. So as long as the user does not actively uninstall or quit the program, the program will connect to the ASUS server in the background to check whether there is a new version and then download.

According to Kaspersky Lab’s statistics, it is estimated that millions of users have been pushed with a virus version, and at least 57,000 users have been actually infected. And these 57,000 users are also users of Kaspersky Anti-Virus, which means that users who have not used Kaspersky are not in the statistics.

After successfully breaking the ASUS internal server, the hacker put the malware into the development engineer’s library, and then the engineers packaged the signature with the embedded malware. The poisoned version actually received by the user has the official signature of ASUS official, and this signature will also allow most anti-virus software to automatically release without detecting. The virus modules provided by hackers even on ASUS servers have been specially modified, and their file size is almost the same as the size of the file being replaced to avoid being discovered. For Asus engineers, the file size was not estimated and unexpected, and the poisoned version was successfully signed and pushed to users.

Kaspersky released an automated tool for users to check whether they had specifically been targeted by the ShadowHammer.