Experts at Skylight Cyber released the list of 600 MAC addresses used threat actors behind Operation ShadowHammer to target ASUS customers.

Skylight Cyber released the list of 583 MAC addresses used threat actors behind Operation ShadowHammer to target ASUS customers.

Over 1 million ASUS users may have been impacted by a supply chain attack that leveraged the ASUS Live Update utility to inject a backdoor in ASUS systems.

The campaign was uncovered by experts from Kaspersky Lab and took place between June and November 2018, but experts discovered it in January 2019.

Kaspersky has released a tool to allow users to determine if they were impacted. Experts at Skylight Cyber were able to extract the MAC addresses used by attackers in the Operation ShadowHammer hack by reverse engineering the offline tool released by Kaspersky.

Skylight CTO Shahar Zini explained that the knowledge of the IP addresses could allow anyone to improve its security.

The full list of MAC addresses included within the executable contained

619 salted hashes, the experts used an Amazon server (An Amazon AWS p3.16xlarge instance with eight NVIDIA V100 Tesla 16GB GPUs) and a modified version of HashCat password cracking tool to brute force the MAC addresses. They obtained 583 MAC addresses in less than an hour.

We've published the [almost] full list of MAC addresses targeted by #shadowhammer in plain-text form (based on @Kaspersky's work). Feed into your #threatintel to see if your organization was targeted.https://t.co/G8QUVpi34M — Skylight Cyber (@SkylightCyber) March 29, 2019

“Even with all of those strategies in place, brute forcing a single prefix was going to take us ~3 hours on our modest hardware. With a narrowed down list of around 1300 prefixes, that meant 162.5 days, a tad bit more than we would have liked.” reads the post published by the experts.

“Enter Amazon’s AWS p3 . 16xlarge instance.

These beasts carry eight (you read correctly) of NVIDIA’s V100 Tesla 16GB GPUs. As Al Pacino once said – “Say hello to my little friend!” 🙂

The entire set of 1300 prefixes was brute-forced in less than an hour.”

Experts at Qihoo 360 also analyzed the list of MAC addresses used in the ASUS attack and published a chart detailing the network interface controller (NIC) vendors involved in the hack. Most of the NICs belong to

ASUS, Intel, AzureWave, and LiteOn.

Kaspersky experts attribute the attacks to the BARIUM APT group, the same threat attacker behind the ShadowPad and CCleaner supply chain attacks.

The BARIUM APT is believed to be under the Winnti umbrella along other APT groups, including Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, LEAD, PassCV, Wicked Panda, and ShadowPad. The groups show similar tactics, techniques, and Procedures (TTPs) and in some cases shared portions of the same hacking infrastructure.

Below the geographic distribution of the victims of Operation Shadowhammer.

Users that have found their computer MAC address in the list are recommended to perform a factory reset to wipe up the entire system.

ASUS fixed the Live Update utility with the release of the version 3.6.8. The vendor implemented “multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means.”

It also implemented an enhanced end-to-end encryption mechanism and improved security of server-to-end-user communication.

The vendor also developed an online security diagnostic tool that allows users to check whether their computers have been impacted.

Pierluigi Paganini

( SecurityAffairs – Operation ShadowHammer, hacking)

Share this...

Linkedin Reddit Pinterest

Share On