Attackers have hijacked PC motherboard update software and hardware drivers to install malware. Here's how to identify vulnerable systems and prevent driver-delivered malware. Credit: Thinkstock / Microsoft PC manufacturer Asus recently announced that from June to November 2018, attackers used its Asus Live Update app, which comes preinstalled on ASUS notebook computers, to install backdoors on targeted computers. Kaspersky indicated that about 57,000 systems installed the backdoored live update software. Asus has acknowledged the introduction of malware into its update process and provided a tool to test your system to see if it has the malicious software installed.The backdoored updaters appear to target specific computers. As was stated in the investigation, the backdoor software contained hardcoded MD5 hashes representing MAC addresses. The theory is that attackers identified specific hardware systems, groups or computers sold to specific companies to gain more access to those systems.If you have ASUS Live Update installed on your system, ensure that you have the latest version 3.6.9 installed as it includes a fix and additional mechanisms that can prevent manipulation of updates. Susan BradleyAsus tool indicates targeted machinesSteps to ID your PC motherboardThe Asus attack made me question how to determine what motherboard a system used should another vulnerability arise. You have several ways to check the manufacturer and model of the motherboard installed on your system. In PowerShell you can use the command:Get-WmiObject win32_baseboard | select Manufacturer It will respond with name of the motherboard manufacturer. Susan BradleyPowerShell query report to identify motherboard manufacturerThe same command on my laptop clearly shows that a different manufacturer prepared this machine: Susan BradleyThis PowerShell report show a different motherboard manufacturerSome motherboard identifiers are obvious. Lenovo is clearly the manufacturer of the laptop I’m typing this on. Others may take a bit of detective work. For example, Intel has a series of motherboards based on the Apollo Lake chip that responds to the command indicating that the motherboard manufacturer is APL.One wide-ranging command used to determine the manufacturer provides a great deal of information about your networks. Windows Management Instrumentation (WMI) is a Windows specific implementation of predefined classes to identify objects. By using the _ComputerName parameter, you can query computers or a series of computers.For example, you can use the following PowerShell command to list from active directory in your domain key information about the bios, processor and motherboard manufacturer to help you identify manufacturers and devices in your network.foreach($computer in $computers) { Invoke-Command -ComputerName $computer -ScriptBlock { Get-WmiObject Win32_bios Get-WmiObject Win32_processor Get_WmiObject Win32_Baseboard }}Hardware drivers are vulnerable, tooSimilar to motherboard and bios updating, hardware drivers are often a target of malicious activity because admins often install a driver when deploying computer systems and never install them or update them again. An attacker can target a driver, or even write their malicious software to pretend to be a driver, and you would probably not realize that you had a persistent backdoor in your system.To detect these silent attackers, monitor outbound traffic for unusual behavior. In particular, look for unusual outbound remote procedure calls (RPCs) and Server Message Block (SMB) communication. It’s wise to place blocking rules at your firewall. Block the ports at the workstation level or at the exterior firewall level.You might need to determine if your current network will be negatively impacted by the blocking action. Review how dependent you are on SMB v1 and other older and more vulnerable protocols.The U.S. Department of Homeland Security has long recommended that blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices, and especially in response to ransomware attacks.It’s also recommended to secure internet-facing Remote Desktop Protocol (RDP) servers (terminal servers) with a multifactor gateway in front of it to ensure that attackers can’t use brute force to determine the RDP password or use password reuse attacks to gain access. If you cannot use multifactor authentication, ensure that Network-Level Authentication is enabled and you use the Local Administration Password Solution (LAPS) toolkit to randomize local admin passwords on computers and servers.Take action now to review your systems, take inventory of your motherboards, and in particular investigate any unusual outbound connections coming from your network. Related content news UK Cyber Security Council CEO reflects on a year of progress Professor Simon Hepburn sits down with broadcaster ITN to discuss Council’s work around cybersecurity professional standards, careers and learning, and outreach and diversity. By Michael Hill Sep 27, 2023 3 mins Government Government Government news FIDO Alliance certifies security of edge nodes, IoT devices Certification demonstrates that products are at low risk of cyberthreats and will interoperate securely. By Michael Hill Sep 27, 2023 3 mins Certifications Internet Security Security Hardware news analysis Web app, API attacks surge as cybercriminals target financial services The financial services sector has also experienced an increase in Layer 3 and Layer 4 DDoS attacks. By Michael Hill Sep 27, 2023 6 mins Financial Services Industry Cyberattacks Application Security news Immersive Labs adds custom 'workforce exercising' for each organizational role With the new workforce exercising capability, CISOs will be able to see each role’s cybersecurity readiness, risk areas, and exercise progress. By Shweta Sharma Sep 27, 2023 3 mins Security Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe