'Operation ShadowHammer' Shows Weakness of Supply ChainsReport: Poor Asus Security Allowed Its PCs to be Infected with Backdoors
A sophisticated attack campaign dubbed "Operation ShadowHammer" involved an advanced persistent threat group planting backdoors within Asus computers. Security firm Kaspersky Lab says attackers subverted the Taiwan-based PC manufacturer's third-party supply chain and updater software to distribute the malware.
In a blog post published Monday, Kaspersky Lab researchers offered some information about how ShadowHammer works, although the security firm plans to reveal many more details during its SAS 2019 conference in April.
Between June and November 2018, the APT group behind the attack targeted the Asus Live Update Utility, installing a backdoor to gain access to these machines. The software is pre-installed in the company's PCs and is used to automatically updated components such as BIOS, UEFI, drivers, as well as applications installed on computers.
Asus did not respond to multiple requests for comment.
The hijacking of software updates from third-party suppliers is increasing popular among attackers and one significant reason why the supply chain is often the weakest link in a company's security plans.
"Because these are more akin to embedded systems or IoT device software packages, [supply chain attacks] don't typically get the same level of scrutiny that other applications do," Nathan Wenzler, the senior director of cybersecurity at Moss Adams, a Seattle-based accounting, consulting and wealth management firm, tells Information Security Media Group. "And since they are deployed so widely or preinstalled on hardware, it's an obvious single point of compromise that reaps an attacker huge benefit if they can get in and exploit the tool."
Kaspersky Lab first alerted Asus, which Gartner ranks fifth in the world in total PC shipments, to the attack on Jan. 31.
In its analysis, researchers found that as many as 57,000 users of Kaspersky Lab's security tools downloaded the backdoor through the infected software during the six-month period of the attack.
However, this is only a small portion of the PCs that could have the backdoor installed, which Kaspersky researchers estimated could number as many as 1 million.
Symantec also confirmed the attack campaign and noted that it has detected about 13,000 machines that have been infected. About 80 percent of those are consumer devices, while the other 20 percent belong to businesses or other organizations.
While the exact scope and purpose of installing these backdoors remains unclear, researchers say the APT group does appear to have targeted a very specific set of Asus PC users. These victims were identified through their MAC addresses. Specifically, the attackers hardcoded MAC addresses into the trojanized software samples recovered by Kaspersky Lab, which says this list was used to target specific machines and their users.
Once the backdoor was installed on a victim's machine, it would signal back to a command-and-control server and then receive additional malware to plant in the PC, according to Vice Motherboard, which first reported the story. If the PC was not on the target list, the malware did not initiate a call to the C&C server.
One reason why the operation continued for so long without being detected is that attackers used legitimate certificates, such as "AsusTeK Computer Inc.," as part of the trojanized updates, researchers say. The updater software was also hosted on legitimate domains.
The majority of victims are in Russia, although this is based on Kaspersky Lab's analysis of malware spotted by users of its own tools. Based on Kaspersky Lab's user base, customers in Germany, France, Italy and the U.S. also saw a large number of infections.
Clues to Attacker's Identity
Although there's no smoking gun, Kaspersky Lab's analysis loosely links ShadowHammer to a similar attack from 2017 called ShadowPad, in which attackers planted a data-stealing backdoor in five software packages associated with server management vendor NetSarang. As in the more recent attack campaign, the attacks utilized a supply chain compromise.
The APT group behind ShadowPad has been identified as Barium, which Microsoft had previously named in court documents that have been made public.
Security researchers say Barium is itself part of a larger group dubbed Winnti Umbrella, which is named for the backdoor tools used as part of its various schemes. Some researchers believe this group is associated with Chinese intelligence. It is also known as Winnti, PassCV, APT17, Axiom, Lead, Wicked Panda and Gref.
This larger group has also been spotted using legitimate certificates for software to disguise malware that is then delivered to a victim's PC.
Supply Chain Weakness
In addition to ShadowPad, Operation ShadowHammer resembles another attack from 2017 that used a trojanized version of CCleaner to infect about 700,000 systems worldwide as part of a targeted attack.
In that case, hackers attacked a server owned by British developer Piriform, which has been recently acquired by Czech security firm Avast, and used it to distribute a malicious version of CCleaner to customers.
How Asus fell victim to this attack remains unknown, Costin Raiu, director of the Kaspersky Lab Global Research and Analysis Team, tells ISMG.
Asus declined an offer made by his research team to help investigate the intrusion further, Raiu says.
"Meanwhile, we discovered that according to Avast, Asus has been one of the targets of the CCleaner attack in 2017, meaning they got infected and have been targeted with the second stage of the CCleaner malware," Raiu says. "It is possible this is how the attackers breached Asus in the first place, however, without a digital forensics and incident response operation, we can't tell for sure."
Repeat Target: Supply Chains
Whether it's Asus or Avast, companies that have wide reach with the types of products they produce are a target for these types of supply chain attacks, experts say.
"Companies who have huge reach with their hardware assets, whether laptops, desktops or IoT devices, must take security as, if not more, seriously as companies which rely on their applications as their primary business driver," Wenzler of Moss Adams says. "These built-in tools may not cost the customers anything directly, but if compromised, the cost to both users and the companies themselves is potentially massive. Secure coding and strong vulnerability management are critically important no matter what kind of software your company develops, and should be some of the most integral parts of your development process."
Fred Kneip, the CEO of Denver-based cybersecurity firm CyberGRX, tells ISMG that the attack against Asus reveals how critical supply chain security has become and what happens when vendors don't consider the consequences.
"This is a prime example for why all businesses must move beyond the trust factor and ensure they are applying the right level of due diligence to any vendor in their ecosystem, regardless of that organization's reputation," Kneip says. "Ultimately, the modern supply chain does not simply include just hardware and software manufacturers but also the vendors that deliver software updates, and in order to be successful security leaders need to truly understand which of these companies pose the greatest risk to their organization and enact security measures reflective of this ranking."