Over a million users might have downloaded and installed a backdoored version of an ASUS application that was served from the company's official update servers. The incident is the latest in a string of software supply chain attacks that have come to light over the past couple of years and highlights the need for companies to better vet the applications and updates they deploy on their systems.

According to a report released Monday by security firm Kaspersky Lab, hackers created a trojanized version of a legitimate application called the ASUS Live Update Utility, signed it with valid certificates belonging to ASUS, and distributed it to users through the application's own update mechanism. This indicates that, at the very least, hackers had access to ASUS's code signing and update infrastructure.

Based in Taiwan, ASUSTeK Computer, commonly known as ASUS, is one of the world's largest manufacturers of computers and computer components. The ASUS Live Update Utility comes preinstalled on many Windows computers made by the company and is used to deliver updates for BIOS/UEFI firmware, hardware drivers and other ASUS tools. The utility can also be installed manually by users after a clean Windows installation.

The backdoored version of ASUS Live Update was discovered by researchers from antivirus firm Kaspersky Lab in January after adding new technology to its products for detecting unusual code added to larger applications and other anomalies that could indicate supply-chain attacks. After collecting additional samples and data, the researchers determined the attack began in June and ended in November last year.

"Based on our statistics, over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time," the researchers said in their report. "We are not able to calculate the total count of affected users based only on our data. However, we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide."

Kaspersky's telemetry data shows the highest number of computers affected by ShadowHammer in Russia, Germany and Italy. However, the victim distribution is influenced by the distribution of Kaspersky customers around the world. Symantec also confirmed the attack Monday and said that it found malicious versions of ASUS Live Update on 13,000 computers, 20 percent belonging to businesses. The company's data showed a more even spread of infections around the world with 13 percent in the US.

The security firm has dubbed the attack ShadowHammer and plans to release a whitepaper with additional technical details next month at its Security Analyst Summit (SAS) conference.

Secondary payload delivered to specific targeted owners

By targeting a software application used by millions of users, the attackers appear to have cast a very wide net. However, this was just a convenient way to reach their real target: around 600 systems that received a secondary payload and whose owners have not yet been identified.

The malicious ASUS Live Update samples found by Kaspersky contained around 600 hard-coded MAC addresses — unique hardware identifiers for network adapters — and the second-stage payload was only delivered to systems that had those MAC addresses. It's not clear what that malicious component was designed to do because the server that hosted it was already down when Kaspersky discovered the attack. However, the company has developed a tool that allows users to check if their computers are among those targeted and hopes to recover a sample of the payload for analysis.

The attack is very similar to the one that involved trojanized CCleaner versions being distributed to 2.2 million users in 2017. That attack was attributed to an APT group known in the security industry as Barium or Winnti, and it too involved a second stage malware payload that was deployed on a small number of systems belonging to technology companies, including ASUS.

One supply chain attack can lead to another

Costin Raiu, the director of Kaspersky's global malware research and analysis team, tells CSO that there are certain similarities between the two attacks, as well as an earlier one dubbed ShadowPad that was also attributed to Barium. While the conclusion is not definitive, it's possible the latest ASUS Live Update attack was carried out by the same group, and it's also possible that hackers might have gained access to ASUS's network and infrastructure as a result of the earlier CCleaner attack, he says.

That's one of the risks with these targeted software supply-chain attacks: They tend to snowball. One attack can provide hackers with access to a technology company and that company's software can then be compromised and used to launch attacks against additional companies and so on. Also, during these attacks hackers collect information about the infected systems, so even if a company was not among the victims that received a secondary payload in this campaign, it might become a target in a future supply-chain attack, Raiu says.

Multiple groups using similar supply chain attack technologies

Previous research by Microsoft suggests there are two groups under the Winnti umbrella that share the same tools. One of them is tracked as Barium and its targets have historically been companies from the gaming industry, possibly for monetization purposes, and the other is called Lead and its goal appears to be industrial espionage, its target being companies and organizations from various industries.

Earlier this month, researchers from security firm ESET reported that supply-chain attacks attributed to Winnti resulted in the backdooring of two games and one gaming platform. Kaspersky has found technical similarities between those attacks and the ASUS one, suggesting they could be related.

It's possible that systems compromised in these supply chain attacks could be used to select future targets for either of the Winnti groups, the one targeting the gaming industry or the one interested in industrial espionage, Raiu says.

Asus did not immediately respond to a request for comment about the reported ShadowHammer attack.

Vendors, users struggle to protect against supply chain attacks

It's very hard for consumers and companies to protect themselves against software supply chain-attacks when they involve proprietary software because users only receive the compiled binary files and have little choice but to trust that vendors deliver clean updates.

In the world of open-source software there are technical solutions such as reproducible builds that can catch malicious modifications of binaries, including the addition of backdoors. This is a method of deterministic compilation where binaries compiled from the same source code by multiple parties, including automated systems, should be byte for byte identical regardless of configuration variations in the compiling environments. Unfortunately, such solutions don't work for proprietary software because no third parties have access to the source code to independently verify the authenticity of the resulting binaries.

One way for companies to reduce risk is to choose software vendors with a good security track record. Before making new software acquisitions or extending existing contracts, organizations could ask vendors for the results of security audits performed against their networks and infrastructure. This wouldn't guarantee that a particular vendor can't be compromised, but it would indicate that it cares enough about security to at least perform such assessments.

If a compromise does happen, organizations should at least be confident that their chosen software suppliers are capable of discovering the breach, remediating the problem and notifying affected parties in a timely manner.

Another thing that companies can do is test software updates inside a virtual machine environment before deploying them on production systems, Raiu says. This can be used to discover if updates exhibit suspicious behavior after installation, like generating network traffic to domain names they should be talking to.

This approach doesn't work for catching all attacks. For example, the backdoored ASUS Live Update samples connected back to an attacker-controlled domain called asushotfix.com, but this only happened on systems that had the targeted MAC addresses. The VM prevention and detection method would have worked for the second-stage victims, but not for everyone else who received the malicious update.

"Even in a well instrumented test environment, this would not have been discovered unless the test environment contained one of the target MAC addresses (highly unlikely)," says Jake Williams, president of security consultancy Rendition Infosec and instructor at the SANS Institute. "The fact that this type of attack is nearly impossible for an end user/organization to prevent speaks to the need for continuous monitoring. It's also somewhat concerning that ASUS didn't spot (and issue a takedown) for the obvious domain name typosquat. With good continuous monitoring, a never-before-seen domain alert would have been created on first contact to the malicious domain, resulting in an investigation."

Minimizing the use of auto-updating software reduces risk

According to Williams, companies should actually consider if these PC vendor utilities need to be on their systems in the first place and if their functionality can't be replaced with other processes or tools. "Based on the number of vulnerabilities discovered in these types of vendor applications over the years, we've removed these from our corporate workstation builds at Rendition Infosec and have a process in place for manually checking for updates periodically," he said. "Of course we also monitor vulnerability announcements so we would know if a new vulnerability was disclosed between checks. We also recommend to our clients that they embrace a third-party patch management solution instead of relying on the auto-update functionality baked into so many apps."

How to protect against software supply chain attacks is one of the most complicated problems the security industry is trying to solve at the moment, Raiu says. These kinds of attacks are not new, and there are examples going back over a decade, but they've become more visible recently, possibly also because security companies have become better at discovering them, he adds.

While preventing software supply chain attacks remains problematic, organizations should continue to improve their detection and response capabilities for APT attacks in general. Ultimately, it is only the infection vector that's different and once hackers are inside, these are similar to any other APT attacks and can be detected by solutions that analyze network and systems logs, unauthorized processes and other suspicious behavior on endpoints.