Kaspersky Labs revealed today that an unidentified threat actor modified the Asus Live Update Utility to gain access to target devices. The security firm said this attack, which it dubbed Operation ShadowHammer, "seems to be one of the biggest supply-chain incidents ever," after the CCleaner attack of 2017.
The researchers said that someone modified the Asus Live Update Utility, added a back door and then distributed it via official channels. This malicious version of the tool was hosted on the Asus update server and signed with a legitimate certificate. It also had the same file size as the official version of the utility.
All those precautions made the malicious version of the Asus Live Update Utility incredibly difficult to detect. (Kaspersky managed it, though, which is why disclosures like these are also thinly veiled advertisements.) The company said it detected the malware on 57,000 devices but estimated that 1 million were affected.
Yet, the unidentified threat actor only appeared to be interested in a very small subset of those devices: Kaspersky said they "targeted only 600 specific MAC addresses, for which the hashes were hardcoded into different versions of the utility." That means as many as 1 million people were compromised to target just 600.
The supply chain attack was first reported by Motherboard, which said it sent Asus three emails about Kaspersky's findings but hasn't received a response. The outlet noted that Symantec confirmed Kaspersky's findings and offered more details about how the researchers were finally able to uncover this attack.
Kaspersky said that "the same techniques were used against software from three other vendors" and added that it notified them about the attack, but it didn't say who the vendors are or how they responded. We suspect more information will be revealed after they've had a chance to protect their users.
More information about this attack is available on Kaspersky's Securelist website. The company also plans to present more details about the attack at the SAS 2019 conference on April 8 in Singapore. It will publish a full report to Securelist at that time as well--hopefully with details about the three other vendors.