1M Asus PCs Compromised Through Vendor's Own Updates: Kaspersky

In what Kaspersky Lab is calling "one of the biggest supply-chain attacks ever," an estimated 1 million PCs made by Asus received a malicious software update that was distributed through legitimate channels, the cybersecurity firm said.

Kaspersky Lab says that cybercriminals compromised the Asus Live Update Utility, which provides BIOS, UEFI and software updates to Asus PCs.

[Related: Hack Of Avast's CCleaner Application Highlights Growing Challenge Around Supply Chain Attacks]

"The trojanized utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time," Kaspersky Lab wrote in a blog post.

Taiwan-based Asus did not immediately respond to a request for comment.

The malicious update was reportedly delivered to users between June and November of 2018.

Kaspersky Lab said it has uncovered more than 57,000 users with the backdoored utility, and the firm estimates that about 1 million users were affected in total. The hackers had only meant to target 600 specific users, according to the firm.

In a statement to CRN, cybersecurity firm Symantec said it "can confirm the ASUS software supply chain attack."

Based on Symantec's analysis, trojanized updates "were deployed by ASUS’ live update server between June and late October 2018. These updates were digitally signed using two certificates from ASUS," Symantec said in the statement.

Kaspersky Lab—which has dubbed the Asus attack "ShadowHammer"—said that three other vendors have been attacked using the same techniques, but did not disclose the names of the other vendors.

Michael Oh, founder of Cambridge, Mass.-based solution provider TSP LLC, said the details disclosed so far suggest that hackers were able to infiltrate Asus' internal systems and take multiple steps there in order to deliver the malicious software.

"It's a pretty advanced attack, in the sense of all the steps that would have to be done for this to be executed," Oh said.

Depending on the results of further investigations, "it's very possible that Asus could end up having to recognize their internal security isn't as strong as it needs to be, and has allowed this to happen," Oh said. "These updates are supposed to be pushed from vendors that have very good security—but who's watching them? Who's helping to make sure their infrastructure is secure?"

Ultimately, "I think it's going to make a lot of people in IT rethink their trust models of which vendors they really think are 100 percent trustworthy," he said.