ASUS users fall victim to supply chain attack through backdoored update

Attackers hijack ASUS's auto-update process to deliver malware. Preventing such attacks is difficult, but vendors and their customers can do more to mitigate the risk.

Over a million users might have downloaded and installed a backdoored version of an ASUS application that was served from the company's official update servers. The incident is the latest in a string of software supply chain attacks that have come to light over the past couple of years and highlights the need for companies to better vet the applications and updates they deploy on their systems.

According to a report released Monday by security firm Kaspersky Lab, hackers created a trojanized version of a legitimate application called the ASUS Live Update Utility, signed it with valid certificates belonging to ASUS, and distributed it to users through the application's own update mechanism. This indicates that, at the very least, hackers had access to ASUS's code signing and update infrastructure.

Based in Taiwan, ASUSTeK Computer, commonly known as ASUS, is one of the world's largest manufacturers of computers and computer components. The ASUS Live Update Utility comes preinstalled on many Windows computers made by the company and is used to deliver updates for BIOS/UEFI firmware, hardware drivers and other ASUS tools. The utility can also be installed manually by users after a clean Windows installation.

The backdoored version of ASUS Live Update was discovered by researchers from antivirus firm Kaspersky Lab in January after adding new technology to its products for detecting unusual code added to larger applications and other anomalies that could indicate supply-chain attacks. After collecting additional samples and data, the researchers determined the attack began in June and ended in November last year.

"Based on our statistics, over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time," the researchers said in their report. "We are not able to calculate the total count of affected users based only on our data. However, we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide."

To continue reading this article register now

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!