Hackers dropped a secret backdoor in Asus’ update software

Hackers targeted and compromised “hundreds of thousands” of Asus computer owners by pushing a backdoored update software tool from the company’s own servers.

The bombshell claims, first reported by Motherboard, said the hackers digitally signed the Asus Live Update tool with one of the company’s own code-signing certificates before pushing it to Asus’ download servers, which hosted the backdoored tool for months last year. The malicious updates were pushed to Asus computers, which has the software installed by default.

TechCrunch can confirm much of Motherboard’s reporting after we learned of the attack some weeks ago from a source with direct knowledge of the incident.

Kaspersky, which first found the backdoored software, said the malicious update tool was installed on as many as half a million computers. The backdoor would scan a device for a target’s unique MAC address and pulls a malicious payload from a command and control server.

Motherboard’s reporting said the backdoor was scanning for some 600 MAC addresses, matching what TechCrunch has learned, that the backdoor was likely targeted to infect only a small number of victims rather than cause infections on a large scale.

Symantec confirmed Kaspersky’s findings, the company told TechCrunch, describing it as a software supply chain attack. “Our findings suggest the trojanized version of the software were sent to ASUS customers between June and October,” said spokesperson Jennifer Duffourg.

It’s believed the hackers had access to Asus’ own certificates to sign the malware. One of the backdoored files used a certificate created in mid-2018 but were different from Asus’ regularly used certificates. Motherboard reported the certificates were still active and had not been revoked, posing a continued risk to Asus customers.

It’s not known exactly what payload was delivered to victims, however.

The backdoor bears a resemblance to CCleaner, which similarly used a code-signing certificate to hide any malicious component. Some 2.3 million customers were affected by the backdoor, blamed on hackers who reportedly targeted tech giants.

Asus has not informed customers of the vulnerability after it was discovered earlier this year. Motherboard said Kaspersky reported the backdoored software on January 31. Taiwan-based Asus is said to have some 6 percent of the computer market share, according to Gartner, shipping tens of millions of computers each year.

When reached last week about the claims, Asus spokesperson Gary Key had no immediate answer to several questions we had and referred comment to its headquarters.

Kaspersky’s Sarah Kitsos did not comment on the findings.

This post was originally posted at http://feedproxy.google.com/~r/Techcrunch/~3/0Zefeh5OJY8/.

Leave a Reply

Your email address will not be published. Required fields are marked *