For the third time this year, security researchers have revealed yet another Asus security issue. This time, the company's WebStorage customers are affected.
Asus WebStorage Hacked
Researchers from antivirus company ESET discovered that the Plead malware was being created and executed by what was supposed to be a legitimate process: Asus’s WebStorage program (AsusWSPanel.exe). The executable is digitally signed by Asus Cloud Corporation.
The ESET researchers believe that Asus was the victim either of a supply-chain attack or man-in-the-middle (MITM) attack done by BlackTech, a cyber espionage group that usually has operations against targets in Asia.
A supply-chain attack would mean the hackers were able to send their malicious files alongside legitimate Asus updates. The researchers don’t believe Asus’s own files were infected in this case, just that the same channel that Asus was using to keep its software up-to-date on its customers’ PCs was also used by the attackers to send those same customers malware.
Much of Asus’ software continues to be delivered via the insecure HTTP protocol, years after previous researchers have raised the issue. Asus’ WebStorage service is no different, which is why BlackTech (or any other hacking group) should be able to intercept the communication channel between Asus and its customers and then replace Asus’s files with the group’s own malware.
When ESET reported the attack to Asus, the PC company shut down its update servers until it will properly secure them:
“In response to this attack, ASUS Cloud has revamped the host architecture of the update server and has implemented security measures aimed at strengthening data protection. This will prevent similar attacks in the future. Nevertheless, ASUS Cloud strongly recommends that users of ASUS WebStorage services immediately run a complete virus scan to ensure the integrity of your personal data.”
When Will It End?
For years, Asus has failed to follow security best practices. We’re not even six months into 2019, and three different security issues with the company’s services have already been revealed.
Earlier this year, Kaspersky revealed that Asus’s LiveUpdate tool had been taken over by malicious parties, giving them them the power to infect up to 1 million users. Asus said at the time that it had taken measures to protect against this type of attack happening again. But as we can see, either those measures weren’t enough, or Asus implemented them only on some of its servers and services, but not all.
To make matters worse, another researcher this year revealed that Asus’ employees have been storing their own passwords in plaintext on GitHub. There was no clear connection between this incident and Asus’ servers being compromised, but if attackers got their hands on the company’s IT credentials, that could have certainly made controlling Asus’s servers that much easier.
To protect its customers and regain their trust, Asus will have to do more than a one-time server software clean-up and upgrade. It'll need to change its policies to prioritize security so that its customers can feel secure that whenever an update is delivered by Asus, their PCs won't be put at risk.