
Hackers Hijacked Asus Software Updates to Install Backdoors - yankcrime
https://motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers
======
throwawayasus
Does anyone know of any company being found liable for negligence after a hack
like this? Is it somehow possible to sue them for being so bad at security?

I have an asus laptop that I use for gaming, most likely it had their cruft
running at some point. What would be the most viable path to sue?

It is so frustrating and frightening to take security seriously yourself, to
have taken precautions, to find out that your idiotic manufacturer has screwed
it up in an idiotic way.

Their update system should never have been designed in a way to make this
possible. The negligence it in the design of the system.

~~~
justinclift
> The negligence it in the design of the system.

Not sure. It seems like a fairly generic update approach. eg a central
server(s) provides available updates, with client software on the PC checking
for them.

As a concept, that's what MS and Apple's update approaches (for consumers) do
too.

It's just ASUS are extremely incompetent with anything software related, not
just security.

Hopefully this, plus the previous fine for their incompetence, gets their
leadership to change things in a positive way.

~~~
flukus
> It's just ASUS are extremely incompetent with anything software related, not
> just security.

Hardware companies are extremely incompetent at anything software related, we
see this in everything from PC's and phones (touchwizz, htc sense) right down
to TV's and various IoT devices. I can't imagine what the PC industry would
like like if luck hadn't delivered us an open platform.

~~~
neop1x
yes, free software and open-source did wonders and I am so thankful for all
the devs who made it possible, thank you!

On the other hand, there is a growing number of insecure and closed IoT
garbage devices. It will be common to see a wifi attack coming from a breached
water kettle.

------
raesene9
Interesting hack, but not really a surprise that attackers are continuing to
look at supply chain's to get into targets that might otherwise be quite
hardened.

From what I've seen of PC laptops, in many cases (especially with companies
that don't usually have large corps as customers) they don't provide the
option for corporates to enforce downloads of firmware/utilities from a
company controlled source, so they'll come from the vendor's central location.

So Asus' risk profile isn't going to include good defences against high-
end/state-level attackers, so it's a nice vector for one of that class of
attacker to get into companies who are customers of Asus'.

It would _seem_ like the attacker must have had some foreknowledge of what
systems they wanted to target (i.e. that their target used Asus laptops) but
that's not impossible to achieve.

~~~
Nadboy1
This reminds me of the Runaway Evidence episode from the Ghost in the shell
series. An employee with access to the codebase for a military weapons
manufacturer manipulates it for their personal reasons

~~~
fapjacks
Indeed, this scenario is so ubiquitous that it will certainly continue
happening as far into the future as there are human beings, for whatever
definition of "human being" you can come up with. One of the first things I
learned in the military was that many _many_ things -- which are so shocking
as to be almost unbelievable -- never see the light of day and become news
stories. It happens so often that I would be willing to bet a hundred United
States dollars that your local police department has some not-insignificant
percentage of employees (think five or ten percent) that _regularly_ use their
patrol car computers for personal reasons, or quasi-personal reasons. I've met
more than one police officer personally who genuinely saw nothing wrong with
it. They think that it's harmless, or worse, that they're justified in doing
so because their intentions are good.

------
woliveirajr
> Buried in those malicious samples were hard-coded MD5 hash values that
> turned out to be unique MAC addresses for network adapter cards.

Having access to those MAC address (or their MD5 hashes) could be interesting.
I would like to verify if my MAC was among those target to do deep inpection
in my whole infrastructure. I'm not sure Kapersky was able to determine all
those 600 MAC addresses to contact specific companies.

~~~
Crosseye_Jack
It’s a MD5 hash according to the article. I wonder how long it would take to
hash 281,474,976,710,656 MAC addresses into MD5? Well wouldn’t have to do all
those, find the vendor id’s for ASUS and “just” hash those.

EDIT: Looks like Kaspersky have published tools to check if your MAC was one
of those targeted - [https://securelist.com/operation-
shadowhammer/89992/](https://securelist.com/operation-shadowhammer/89992/)
don’t think they have published the whole list. Just a checker app and a
webform to check. The checker app _may_ contain the whole list.

Looks like they there updating the list of MACs over time (rules out my
initial thought of them targeting an purchase order to get hand full of people
who would of gotten machines from that order) as it seems that Kaspersky
pulled the list of MACs from about 200 samples.

~~~
the_pwner224
It would take a few seconds (at most) to brute force all of them.

The vendor IDs in a laptop/desktop would be a limited set (Realtek, Intel,
Atheros, Broadcom are the big names off the top of my head), each company has
a few vendor IDs but still it's a small search space. Here are my notes from
the calculation:

48 bits / 6 bytes per MAC

Vendor ID is 6 hex digits = 3 bytes / 24 bits

[https://www.brandonfoltz.com/2014/09/how-fast-is-
md5/](https://www.brandonfoltz.com/2014/09/how-fast-is-md5/) 2014/09: Core 2
Duo e6550 @ 3 GHz does 427 MB/s with one process, DDR2-800 RAM

Modern cpu: 4.5 ghz @ 8 cores * 1.25x IPC and RAM improvement (RAM has come a
long way since DDR2, but in the article he was CPU bound so that's probably
still the bottleneck)

= 427 * (4.5/3.0) * 8 * 1.25 = 6.4 GB/s

24 bits of actual MAC left per vendor = 16,777,216 MACs/vendor

16.8 million * 3 bytes = 50.4 million bytes per vendor

6.4 GB / 50.4 MB = almost 1300 vendor prefixes per second

The website listed above provides MD5 hash rate in MB/s (on a CPU, too). A few
other sources I found provided hash rates in hashes/sec instead, such as this
StackExchange saying that 1.3 billion SHA-1 hashes/sec are possible on a old
GPU. SHA-1 is more complex than MD5, and GPUs are still following Moore's law
very well, so it would be trivial to brute force this.

[https://security.stackexchange.com/a/8609](https://security.stackexchange.com/a/8609)

Source for vendor IDs:
[https://gist.github.com/aallan/b4bb86db86079509e6159810ae9bd...](https://gist.github.com/aallan/b4bb86db86079509e6159810ae9bd3e4)

~~~
DownGoat
A Nvidia GTX 1080 can do about 20-25 GH/s of MD5. This makes the whole
searchspace even without taking the vendor prefixes into account, quite brute
forceable. Here is a benchmark of hashcat that gives some insights into the
speed of the different hashing algorithms.

[https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a27...](https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40)

A recently released tool also allows you to do all this on AWS for quite cheap
without any big investment in hardware. [https://github.com/Coalfire-
Research/npk](https://github.com/Coalfire-Research/npk)

------
dsfyu404ed
Some dude who works in an office in Maryland or Georgia is reading this and
thinking "yup, that's us".

The details here scream "state actor".

~~~
ianhawes
Or Hawaii or Texas

~~~
zaphirplane
I don’t get it. China Israel n Korea Iran Russia uk France are not shy violets
in aggressive hacking. There is also a bunch of up and comers in India and
Saudi that are flexing

------
cronix
> Motherboard’s reporting said the backdoor was scanning for some 600 MAC
> addresses, matching what TechCrunch has learned, and was likely targeted to
> infect only a small number of victims rather than cause infections on a
> large scale.

It would be interesting to know what companies/orgs those mac addresses belong
to. This sounds very targeted against something specific.

------
cf141q5325
Only 600 were targeted. Stupid question, but is there a scenarios where this
isnt a state actor? Who would throw away already infected machines.

~~~
NelsonMinar
I find the precision sort of comforting. One danger of the growth of state-
actor malware is that a lot of us could be collateral damage caught in the
crossfire. This sort of precise targeting seems at least reasonably
responsible. Stuxnet also had careful target selection.

~~~
cf141q5325
>Stuxnet also had careful target selection.

The NSA also had stuff like eternalblue lying around instead of getting it
patched, the polar opposite being responsible. I doubt that there is such a
thing as responsible hacking by state actors. They know of and are actively
exploiting weaknesses that are a danger to all of us.

~~~
NelsonMinar
Yeah, and also NSA has forever compromised part of their mission; to secure US
infrastructure. No American company will trust their "help" any more since
they've spent so much time subverting our own security.

~~~
johnwyles
This talk is all well and good between us here on Hackernews but I don't think
your Joe Plumber really cares that these things are going on behind the
curtains enough to vote about them, protest, or write his congressman. Look at
the "uproar" Snowden caused - it just pushed these activities further under
ground within US cyber intelligence.

------
vxxzy
Why would they only be interested in 600 MACs as oppose to the numerous
others? This is casting a rather large net. Wouldn’t this imply the attacker
had knowledge before this hardware was shipped? (why only 600 MAC!?)

~~~
aasasd
Perhaps rolling out the full attack gradually, to see if it flies under the
radar. The knowledge required might be simply a modulo of the mac.

~~~
32032141
Why not do it deterministically then? 600 hashes of MAC addresses suggests
that it's a very targeted group of machines, it's the size of a moderately
large company, for example.

------
sneakernets
"Asus has not informed customers of the vulnerability after it was discovered
earlier this year."

This is typical of Asus, isn't it? After that Windows update last year or so
broke their ROG motherboard software and it wasn't fixed for over a month,
you'd think they would have learned by now.

------
TheAsprngHacker
According to the article, "The researchers estimate half a million Windows
machines received the malicious backdoor through the ASUS update server." I
use an Asus computer, but I use GNU/Linux and almost never boot into Windows.
Am I affected by the malware? How can I check?

~~~
justinclift
> I use an Asus computer, but I use GNU/Linux and almost never boot into
> Windows.

It probably depends on whether your computer came with windows pre-installed
(not good), or you've ever installed the ASUS provided "ASUS Update" utility
software for Windows.

It's a specific download, that you'd need to manually install.

AFAIK, most (tech) people consider it bloatware, so don't.

If your computer came with windows pre-installed though... uh oh.

------
aasasd
> the attack, which Kaspersky Lab has dubbed ShadowHammer

I see we're already hitting a deficit of new names for vulnerabilities.

~~~
bshipp
We need some sort of security vulnerability name generator.

A google search later and of course it already exists, hahaha:

[https://paulbellamy.com/vulnerability-name-
generator/](https://paulbellamy.com/vulnerability-name-generator/)

~~~
aasasd
Not sure if I should call dibs on “iLoveCRIME”.

~~~
mikeash
Better than PoodleLeak.

------
josteink
It’s probably easy to frame this as closed source versus open source, but
honestly this _can_ happen to anyone and I think we have numerous examples of
Linux distributions also having their core servers compromised leading to
similar risks in distributing malicious software.

That said I’d rather be running an operating system with reproducible builds
based on open source software. I suspect problems like this would have been
more quickly discovered, before hundreds and thousands of users were affected.

~~~
bshipp
I also prefer the open source concept, but I always have--in the back of my
mind--the case of Azer Koçulu:

[https://qz.com/646467/how-one-programmer-broke-the-
internet-...](https://qz.com/646467/how-one-programmer-broke-the-internet-by-
deleting-a-tiny-piece-of-code/)

I recognize that it's a leap to go from deleting a repository to converting it
toward malicious intent (although sometimes it's likely not as big of a leap
as we think), but as open source continues to build libraries on top of other
libraries we do open ourselves to the risk that one of those innocuous
libraries, at some point in the future, could end up causing issues.

The other problem is that open source users often expect that the "crowd" will
discover and identify issues fairly quickly because everyone is looking for
them. But not everyone __is __looking for them. I can probably count on two
hands the number of times I 've gone through the source code of the libraries
that I use, and I suspect most others are in a similar position. We all expect
some bored soul in the world is doing the looking, but the truth is that
they'll only start looking if something breaks.

~~~
peterwwillis
I've noticed how obvious security problems get "discovered" over the years,
when people already knew about them. What happens is, someone new finds the
bug and makes a big stink about it being exploited. Everyone realizes the bug
is a huge problem and then, one by one, every software project with that bug
incorporates a fix or mediation. What should have never existed soon becomes
another in a line of "standard fixes" that every system afterwards has to
account for.

There are things that (in retrospect) should be a standard part of all open
source supply chains. Basic code vuln scanning, code signing+verifying,
reproducible builds, redundant copies of code, and licenses permitting keeping
code around to prevent breaking other code. But they're not standard - _yet_.
So one by one, we have to run into these problems and break things before
they're addressed and later become de-facto standards.

I've noticed that this mirrors real life. In real life you can notice that an
intersection is dangerous and needs a stop sign. But until a schoolbus full of
children is plowed into, nobody lifts a finger. It's the same in technology.
You can't just mention the big potential problem; you have to wait for the
explosion.

I spent months trying to get websites on the internet to mention that the
default options they suggest for _ssh-keygen_ are fundamentally insecure and
dangerous, and while all of them acknowledge this is a fact, _most of them won
't update their guides_. Not until someone creates a virus that finds and
exposes vulnerable ssh key passwords around the world. Then all of a sudden
whatever implicit bias they had against doing the work will disappear, as fear
of impending consequences takes over.

~~~
toyg
_> I've noticed that this mirrors real life._

This is because taking additional or remedial actions is _work_. That work has
to be justified against a hierarchy of needs. Until that justification is
credible enough, work will be allocated elsewhere.

------
SomeHacker44
Does anyone know where to get and verify a known good version if Asus’s
software, or identify and clean a system of backdoored software? I ask as an
owner of an Asus motherboard.

~~~
Crosseye_Jack
Depends on what the other payload did. The infected updates checked your MAC
and if it matches a list of targets downloaded and executed the 2nd payload.
The payload from ASUS itself seems to be pretty tame asking as you were not
one of the target machines...

Check you MAC here [https://securelist.com/operation-
shadowhammer/89992/](https://securelist.com/operation-shadowhammer/89992/)
(which also contains infor about some of the payloads, apparently there was
over 200 samples found by Kaspersky). If you dont match you “should” be fine.
But who know where the “update” was installed to to purge it from the system.
A full wipe may be in order (or wait a short while and allow the various AV
engines get hold of the signatures of the first stage malware and allow them
to scan your machine).

If you were on the target list then who knows what the secondary payload
contained... Though as it was just a small number of MAC’s targeted and if you
were targeted the device maybe more valuable to you and others untouched so it
can be analysed then the cost of a replacement and trying to figure out why
you were targeted.

As for where to get known good software. ASUS used to have an ftp site with
all their stuff on it, dunno if they still do. This attack seems to be
targeting the live update method so downloads from the support page for your
model are probably fine... But it would be on ASUS to come clean and report on
what and when got infected to be sure. They have revoked the certs used to
sign the updates, you could check any downloads from ASUS to see if the cert
matches just in case MS has yet to push the irrevocation to everyone or just
stick with the stock drivers from MS until everything is sorted out.

~~~
TxRedneck
Where are you reading that they've revoked the certs? I've not seen anything
that says indicates they've done so.

~~~
Crosseye_Jack
Sorry, I was sure I read somewhere that ASUS themselves had requested the cert
to be revoked but I can't find that site I read that from now to cite other
than "ASUS are no longer using that cert" with Kaspersky are saying.

ASUS are using a new code signing cert though, but it is dated from earlier
today so maybe it was "ASUS are due to revoke the cert".

------
cozzyd
I have an ASUS laptop but fortunately the first thing I did was to replace
Windows with Fedora.

------
oakwhiz
The behavior they describe reminds me of Stuxnet: only certain machines seem
to be executing a specific payload.

------
tyfon
I don't understand why one would allow untrusted IPs to upload software to be
spread like this.

Putting new updates on such a system should be part of a process with many
checks on the way to verify the authenticity of the software?

~~~
dhimes
Well, the certs were legit. So I guess yeah, in hindsight only allowing
certain IPs to be associated with a cert or something would be cool, but damn
if I know how to do that on a Windows machine.

~~~
tyfon
No I mean on Asus' side.

Like you should have a very specific procedure to put files on the server not
let a random computer on the internet do it without an approval process.

~~~
c256
The update service inside ASUS was broken, so it doesn’t matter what ASUS
intended or implemented; the attackers would have just changed that. The
second stage installer was totally owned by the attacker. Perhaps interesting
to note: this is a situation where a blockchain could have been helpful.

~~~
tyfon
Yeah I understand that, but how is it possible for a company to put such a
service on the network so that it _can_ be breached, that was really my
question.

It shouldn't have the place where you put the update files exposed to the
internet at all. Unless it was an inside job somehow.

The way it's described it almost sounds like the service exposed to the
internet had write access to the files.

~~~
justinclift
> The way it's described it almost sounds like the service exposed to the
> internet had write access to the files.

A service exposed to the internet gets to decide what it sends to end users.
Compromise that, it can replace the stuff sent on the fly.

Not saying that's what happened here, just pointing out that not having "write
access to the files" isn't a guaranteed win either.

Depending on what else the attackers had access to (executables key signing
pieces?), likely determines the approaches they took.

------
Jerry2
Few interesting bits that are buried at the very end of the article and many
might have missed it:

> _They said they found similarities between the ASUS attack and ones
> previously conducted by a group dubbed ShadowPad by Kaspersky. ShadowPad
> targeted a Korean company that makes enterprise software for administering
> servers; the same group was also linked to the CCleaner attack. Although
> millions of machines were infected with the malicious CCleaner software
> update, only a subset of these got targeted with a second stage backdoor,
> similar to the ASUS victims. Notably, ASUS systems themselves were on the
> targeted CCleaner list._

> _The Kaspersky researchers believe the ShadowHammer attackers were behind
> the ShadowPad and CCleaner attacks and obtained access to the ASUS servers
> through the latter attack._

> _“ASUS was one of the primary targets of the CCleaner attack,” Raiu said.
> “One of the possibilities we are taking into account is that’s how they
> intially got into the ASUS network and then later through persistence they
> managed to leverage the access … to launch the ASUS attack.”_

These attackers have planned this for a very long time. CCleaner was just
collateral damage in NSA's quest to infiltrate high-value OEM targets. The NSA
probably also got HDD firmware source code and certificates through a similar
"shotgun" approach.

I also found this part interesting (from [0]):

> _Although precise attribution is not available at the moment, certain
> evidence we have collected allows us to link this attack to the ShadowPad
> incident from 2017. The actor behind the ShadowPad incident has been
> publicly identified by Microsoft in court documents as BARIUM. BARIUM is an
> APT actor known to be using the Winnti backdoor. Recently, our colleagues
> from ESET wrote about another supply chain attack in which BARIUM was also
> involved, that we believe is connected to this case as well._

Which leads to a copy of the lawsuit filed by Microsoft against BARIUM actors
[1].

I wonder what the status of this lawsuit is when the defendants are probably
the NSA employees. Even Microsoft gives lots of hints about BARIUM being the
NSA. They even filed it in Eastern District of Virginia, Alexandria Division,
Federal Court... which is one of the favorite places where intelligence
agencies file criminal complaints. I bet the US Gov will stonewall and ask the
MS to drop it.

[0] [https://securelist.com/operation-
shadowhammer/89992/](https://securelist.com/operation-shadowhammer/89992/)

[1] [https://www.courthousenews.com/wp-
content/uploads/2017/11/ba...](https://www.courthousenews.com/wp-
content/uploads/2017/11/barium.pdf)

------
oyebenny
Can someone please tell me how I can find out if I'm infected and how to
remove it?

------
adolfoabegg
Will they be banned just like Huawei?

~~~
rurban
Looks more like the work of the San Antonio CIA hackers, not Chinese. So most
likely not. But the Chinese might try to ban it then. First the Russians will
analyze the targets and then you know who did it.

------
baybal2
A very good reason to shut down any automatic update software, moreover on a
commercial OS.

The whole "signing infrastructure" thing stops working when the amount of
parties involved exceeds n=2.

When you have 10+ parties involved, the chance of missignage gets very real.
Even if the signing is done on a "black box" as per best practice, it offers
no protection if signing decision is made by a party with blind trust in
incoming packages as happens in a big company setting.

~~~
acdha
> A very good reason to shut down any automatic update software, moreover on a
> commercial OS.

This is dangerous and irresponsible general advice. 99.9999…something percent
of users will be better off getting updates on a schedule more recent than
“never”. Following your advice would simply mean that millions of people get
rooted because they postponed the updates for things which were known threats
in the wild.

The very small percentage of high-value targets are the ones who can consider
this because they also have defense budgets measured in the millions and can
afford to do things like inspecting updates and aggressively monitoring for
changes in network activity, etc.

What it does tell you is that there is a cost to using software from companies
with lax security practice such as ASUS:

> Kamluk said ASUS continued to use one of the compromised certificates to
> sign its own files for at least a month after Kaspersky notified the company
> of the problem, though it has since stopped. But Kamluk said ASUS has still
> not invalidated the two compromised certificates, which means the attackers
> or anyone else with access to the un-expired certificate could still sign
> malicious files with it, and machines would view those files as legitimate
> ASUS files.

That's a good cue to suggest that if you're security conscious you want to
pick vendors who share that value.

~~~
baybal2
The one logic that is dangerous here is that of blind faith in signing
ecosystem.

MITM on windows update with forged certificate few years ago was just few
minutes away from being a global emergency for Windows users. The only thing
that kept it contained was that attackers did not figure out to hijack routing
to real windows update servers.

For 99% of users using windows update, that would've been an instant virus
install - so much for security.

The only security measures that are worth implementing are, obviously, the
ones which work.

~~~
acdha
> The only security measures that are worth implementing are, obviously, the
> ones which work.

Which is why I don't think the right answer is taking steps which ensure users
won't install security updates. The scenario you mentioned is better addressed
by other means — CA pinning, certificate transparency — and, unsurprisingly,
those are the measures being implemented on a wide scale.

