Asus acknowledged (opens in new tab) today the recent takeover of its Live Update Utility for the company’s notebooks by an advanced persistent threat (APT) group and said that it has released an updated version (version 3.6.8) of its utility that is clean of the hacking group’s malware. The company also included long overdue encryption and security features to prevent similar attacks in the future, such as end-to-end encryption and other verification mechanisms.
"A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group. ASUS customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed," the statement said, in addition to offering a link to download its diagnostic tool (opens in new tab) and encouraging concerned users to contact customer service (without listing contact information).
Asus Live Update Utility Hacked by APT Group
Kaspersky Labs this week announced it uncovered a sophisticated attack against Asus’ update software that was going on between June and November 2018. The security company called the attack the largest of its kind since a similar takeover of CCleaner’s update server happened, with up to 1 million users impacted.
According to a Bloomberg report earlier today, Asus said the number of impacted users is in the hundreds, despite Kaspersky believing it to be up to 1 million were affected. However, Kaspersky was able to see 57,000 of its own customers were using the infected tool, and as reported by Motherboard, Symantec also said that 13,000 of its customers were using the hacked utility. Therefore, it seems that at the minimum, 70,000 PCs were affected by the malicious hack, but this is only a small fraction of the devices that Kaspersky and Symantec were able to analyze.
Asus neglected to give credit to Kaspersky for discovering the attack in today's statement, and it appears that it also ignored Kaspersky's initial disclosure of the attack. Eventually, the company reportedly asked Kaspersky to sign an NDA.
Kaspersky told Asus of the attack in January and published the story yesterday on Seclist and its blog (opens in new tab). Now, Asus has released a patch for its software, as well as a diagnostic tool for Asus notebook customers that want to verify whether or not their Live Update software was infected with malware.
Has Asus Learned Its Lesson?
Back in 2016, a report came out that revealed how the top 5 notebook makers, including Asus, were ignoring security best practices for their devices that would have prevented this type of attack. Asus, one of the worst offenders among the vulnerable laptop makers, was guilty of not even using HTTPS encryption or signing or validating their software updates.
At the time, the researchers that revealed this also found other critical vulnerabilities in these companies’ update tools that would have made it easy even for non-technical malicious hackers to infect targeted machines.
The chief of NSA’s TAO group also said in the past that exploiting OEMs’ software for notebooks is one of the easiest ways to hack a computer, because of how vulnerable these software tools tend to be and how little care laptop vendors tend to have for security in general.
In this case, not only did Asus ignore this issue for the past three years despite being warned about it by security researchers, but the company seemingly ignored it once again when existing attacks and not just theoretical ones, were showed to it by Kaspersky.
Due to what seems to be mainly Kaspersky’s insistence on revealing the APT group’s attack to the public and fear of the press’ reaction, Asus was finally dragged kicking and screaming into updating its software with the proper modern security features that it should have used since at least 2016, after the aforementioned report came out.
The antivirus companies found Asus' update software to be vulnerable only for a limited period of time, but this may have been a strategy by the hacking group to minimize its exposure. However, chances are that Asus may not be the only laptop maker with a PC utility that has been infected, at least temporarily and without getting caught by various sophisticated hacking groups.