A Compromised the ASUS update infrastructure through auto-update software is causing a supply chain attack

Executive summary

The software supply chain continues to be a popular
channel for launching attacks.
Publicly
available reports
indicate that attackers have reached a large
number of devices through auto-update software provided with computers from
Taiwanese manufacturer ASUS. In a campaign dubbed “Operation ShadowHammer”,
attackers have compromised the ASUS update infrastructure to deliver backdoored
versions of the Asus Live Update app, which comes preinstalled on ASUS
computers.

Microsoft is actively investigating available reports
as well as malware samples and telemetry. We have consolidated detections of
malicious binaries involved in this attack under the name
ShadowHammer.

ASUS has indicated that they have replaced the
backdoored version of their updater and implemented enhancements to their
infrastructure. Microsoft continues to investigate this threat and will provide
updates as we get more information.

ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future.
Additionally, we have created an online security diagnostic tool to check for affected systems, and we encourage users who are still concerned to run it as a precaution. The tool can be found here: https://dlcdnets.asus.com/pub/ASUS/nb/Apps_for_Win10/ASUSDiagnosticTool/ASDT_v1.0.1.0.zip
Users who have any additional concerns are welcome to contact ASUS Customer Service.

More information about APT groups: https://www.fireeye.com/current-threats/apt-groups.html


 
  • How do I know whether or not my device has been targeted by the malware attack?
  • Only a very small number of specific user group were found to have been targeted by this attack and as such it is extremely unlikely that your device has been targeted. However, if you are still concerned about this matter, feel free to use ASUS’ security diagnostic tool or contact ASUS Customer Service for assistance.

  • What should I do if my device is affected?
  • Immediately run a backup of your files and restore your operating system to factory settings. This will completely remove the malware from your computer. In order to ensure the security of your information, ASUS recommends that you regularly update your passwords.

  • How do I make sure that I have the latest version of ASUS Live Update?
  • You can find out whether or not you have the latest version of ASUS Live Update by following the instructions shown in the link below:
    https://www.asus.com/support/FAQ/1018727/

  • Have other ASUS devices been affected by the malware attack?
  • No, only the version of Live Update used for notebooks has been affected. All other devices remain unaffected.

 

Analysis

Our ShadowHammer detections center around variants of
the backdoored Asus Live Update app representing at least two generations of
attack code. These generations are marked by samples with shellcode that are
either in plaintext or encrypted. Also, the appearance of these updater
variants corresponds to the validity dates of the certificates used to sign
them.
The backdoored updaters might have been designed to
target specific computers. They contain hardcoded MD5 hashes representing MAC
addresses. They appear to use these hashes to identify targets and determine
whether to deploy additional payloads.

Mitigations

Apply these mitigations to reduce the impact of this
threat. Check the recommendations card for the deployment status of monitored
mitigations.
  • ​Turn on cloud-delivered
    protection and automatic sample submission on Windows Defender Antivirus.
    These capabilities use artificial intelligence and machine learning to
    quickly identify and stop new and unknown threats.
  • Utilize the Windows
    Defender Firewall and your network firewall to prevent RPC and SMB
    communication among endpoints whenever possible. This limits lateral
    movement as well as other attack activities.
  • Secure internet-facing
    RDP services behind a multi-factor authentication (MFA) gateway. If you
    don’t have an MFA gateway, enable network-level authentication (NLA) and
    ensure that server machines have strong, randomized local admin passwords.
  • Customers that have not
    installed the ASUS Live Update app are not affected by the known attack
    method. Customers can either uninstall this app or get the latest version.
    According
    to Asus
    , version 3.6.8 includes a fix and additional mechanisms
    that can prevent manipulation of updates.
  • Utilize Microsoft Edge
    or other web browsers that support SmartScreen. SmartScreen has removed
    reputation information for the certificates abused during these attacks.
    Binaries signed with those certificates will trigger a warning about an
    “unrecognized app”.

Detection details

Windows Defender Antivirus
Windows Defender Antivirus detects trojanized apps and
backdoor implants as the following malware:
Endpoint detection and
response (EDR)
Alerts with the following titles in the Windows
Defender Security Center portal can indicate threat activity on your network:
  • Malicious binaries
    associated with a supply chain attack
  • Network traffic to
    domains associated with a supply chain attack
Advanced hunting
Publicly available reports indicate that this attack
took place from June to November 2018, so some customers might only have
telemetry around this period. To locate related attack activity in the past 30
days, run the following query:
​//Event types that may be associated with the implant or container
union ProcessCreationEvents, NetworkCommunicationEvents, FileCreationEvents, ImageLoadEvents
| where EventTime > ago(30d)
//File SHAs for implant and container
| where InitiatingProcessSHA256 in("e01c1047001206c52c87b8197d772db2a1d3b7b4", 
"e005c58331eb7db04782fdf9089111979ce1406f", "69c08086c164e58a6d0398b0ffdcb957930b4cf2")
​//Download domain
NetworkCommunicationEvents
| where EventTime > ago(30d)
| where RemoteUrl == "asushotfix.com" or RemoteIP == "141.105.71.116"
The provided query checks events from the past 30 days.
Change EventTime to focus on a different
period.

Indicators

Files (SHA-1)
  • 2c591802d8741d6aef1a278b9aca06952f035b8f
  • e01c1047001206c52c87b8197d772db2a1d3b7b4
  • 5039ff974a81caf331e24eea0f2b33579b00d854
  • 9f0dbf2ba3b237ff5fd4213b65795595c513e8fa
  • e793c89ecf7ee1207e79421e137280ae1b377171
  • e005c58331eb7db04782fdf9089111979ce1406f
  • 4a8d9a9ca776aaaefd7f6b3ab385dbcfcbf2dfff
  • fdc7169d7e0a421dfb37ab2a9ecae9c9d5b4b8b2
Malware download URL
  • hxxp://asushotfix.com
URLs with compromised
packages
  • hxxp://liveupdate01.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER365.zip
  • hxxps://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER362.zip
  • hxxps://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER360.zip
  • hxxps://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER359.zip
Abused certificates
ASUSTeK Computer Inc. 
Status: This certificate has expired and is no longer valid.
Issuer DigiCert SHA2 Assured ID Code Signing CA
Valid from 12:00 AM 07/27/2015
Valid to 12:00 PM 08/01/2018
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 29935023FF1386F5F0A0355B778B0DFF2022E196
Serial number 0F F0 67 D8 01 F7 DA EE AE 84 2E 9F E5 F6 10 EA
ASUSTeK Computer Inc. 
Status: Valid
Issuer DigiCert SHA2 Assured ID Code Signing CA
Valid from 12:00 AM 06/20/2018
Valid to 12:00 PM 06/22/2021
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 626646D29C5B0E7C53AA84698A4A97BE323CF17F
Serial number 05 E6 A0 BE 5A C3 59 C7 FF 11 F4 B4 67 AB 20 FC

References

 
Sites to check if your device has been targeted
Thanks to various sources for this information including  ASUS, Fireeye,  and Susan E Bradley