Asus has responded to Kaspersky Labs' report yesterday that an unidentified threat actor used the Asus Live Update Utility to compromise up to 1 million devices. The cybersecurity company also released a diagnostics tool to help its customers figure out if they were affected by the attack and is reportedly contacting customers that it knows were affected to help them recover.
Kaspersky named the attack Operation ShadowHammer and said it was the largest supply chain attack since CCLeaner attack of 2017, with 57,000 devices confirmed affected and more than 1 million believed to have been so. Why? To compromise just 600 yet-to-be-identified devices. (That's an extra 1,666 people affected for each actual target.)
The security company said that an attacker compromised the Asus Live Update Utility and distributed it to the manufacturer's devices. The malicious version of the utility was said to feature the same file size as the original, was signed with a legitimate certificate and was hosted on Asus' server. It would've been hard for anyone to spot.
Asus responded to Kaspersky's report late that same day of Kaspersky's revelation. According to Bloomberg, the company said that "only several hundred" PCs were infiltrated, not 1 million. It also said that it helped its customers fix the problem, patched the vulnerability that allowed the Asus Live Update Utility to be taken over and updated its servers after the attack.
We don't have enough information to say which company is more accurate. Both are likely to stick to their own findings: reporting on large-scale attacks helps security companies like Kaspersky advertise their services; manufacturers like Asus might want to downplay attacks to avoid the inevitable lawsuits, bad press and other issues.
Still, in Motherboard's report on Operation ShadowHammer, the outlet noted that Symantec corroborated Kaspersky's findings.
We also haven't seen mention of Operation ShadowHammer on Asus' U.S. site--the company appears to be handling the issue as quietly as possible.
Kaspersky is set to reveal more information about the attack at the SAS 2019 conference on April 8.