Asus Deploys Security Fixes, Encryption After ‘Sophisticated’ Cyberattack
Asus says it's deploying improved security after the company's own PC update software was compromised by hackers in order to deliver malware to users.
Cybersecurity firm Kaspersky Lab initially disclosed the cyberattack on Monday, and Symantec later confirmed the attack, as well.
Cybercriminals compromised the Asus Live Update utility, which provides BIOS, UEFI and software updates to Asus PCs. The malicious update was delivered to users between June and November of 2018, according to Kaspersky Lab.
Taiwan-based Asus responded on Tuesday, acknowledging that some of its devices have been affected by malicious code through a "sophisticated attack" on the company's Live Update servers.
Asus has implemented a fix in the latest version of its Live Update software, Version 3.6.8, and recommended that all users move up to the version, the company said.
Asus has also "introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism," the company said in a news release.
"We have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future," Asus said.
However, Asus appeared to downplay the scope of the attack, saying that just "a small number of devices" have been implanted with the malicious code.
Kaspersky Lab, on the other hand, estimated that about 1 million users have been affected, and said it had so far uncovered more than 57,000 users with the backdoored utility. The firm has referred to the hack, which it's calling "ShadowHammer," as "one of the biggest supply-chain attacks ever."
"It's very possible that Asus could end up having to recognize their internal security isn't as strong as it needs to be, and has allowed this to happen," said Michael Oh, founder of Cambridge, Mass.-based solution provider TSP LLC, in a previous interview with CRN. "These updates are supposed to be pushed from vendors that have very good security—but who's watching them? Who's helping to make sure their infrastructure is secure?"
Ultimately, "I think it's going to make a lot of people in IT rethink their trust models of which vendors they really think are 100 percent trustworthy," he said.
Asus did appear to agree with Kaspersky Lab's assessment that hackers only targeted a relatively small number of users with the attack. The attack was "an attempt to target a very small and specific user group," Asus said.
Kaspersky Lab had reported that the hackers had only meant to target 600 specific users.