Supply Chain Attackscritical

ASUS Live Update ShadowHammer: 1 Million PCs Receive Backdoored Official Updates

Attackers compromised ASUS's Live Update mechanism — the official auto-update tool for ASUS computers — and distributed backdoored updates signed with legitimate ASUS certificates to approximately 1 million users, targeting only 600 specific MAC addresses.

ASUS / ShadowHammer·2019·2 min read

Background

ASUS Live Update is pre-installed on ASUS laptops and silently downloads and installs drivers and firmware. It uses ASUS's own code-signing infrastructure. In 2018, attackers compromised ASUS's update distribution server.

The Attack

Attackers obtained access to ASUS's update server and code-signing infrastructure. They distributed a backdoored version of ASUS Live Update through the official ASUS update channel, signed with a legitimate ASUS certificate. The malware was installed on approximately 1 million ASUS computers. However, the payload was hardcoded with a list of approximately 600 specific MAC addresses (network hardware identifiers). Only machines with those specific MAC addresses received and executed a second-stage payload — all others received the backdoor dormant. The targeting precision indicated a sophisticated actor (attributed to APT groups) hunting specific high-value individuals.

Response

Kaspersky Lab discovered the campaign in January 2019 and disclosed it in March 2019 after notifying ASUS. Kaspersky released a tool to check if your MAC address was on the target list. ASUS pushed a new version of Live Update with improved security and published a statement. ASUS's initial response was criticised as inadequate.

Outcome

Approximately 1 million machines received the backdoored update, but only ~600 were the real targets. The precision of targeting — searching for specific hardware in a pool of 1 million — is a hallmark of nation-state operations. Kaspersky called it "one of the biggest supply chain incidents ever."

Key Takeaways

  1. Hardware MAC addresses provide a surgical targeting mechanism for nation-state implants hidden in mass distributions
  2. Legitimate code-signing infrastructure on update servers must be protected with the highest possible security controls
  3. Auto-update mechanisms are implicitly trusted by users and operating systems — they are prime supply chain targets
  4. Vendor response to supply chain disclosure must be rapid and specific — vague statements damage trust
ASUSauto-updateMAC address targetingShadowHammernation-state

More in Supply Chain Attacks

2020critical

SolarWinds Supply Chain Attack

2 min readSupply Chain Attacks
2017critical

CCleaner Backdoor: 2.27 Million Downloads Infected via Legitimate Software Update

2 min readSupply Chain Attacks
2018high

EventStream npm: Malicious Code Buried in Dependency Targets Bitcoin Wallet

2 min readSupply Chain Attacks