 Hackers hijacked ASUS software updates to install backdoors on thousands of computers This is a really In-depth supply chain attack and I'm gonna leave links to all this in the notes below And if you're not familiar with supply chain attack It is where someone would up the chain as in where the computer or software or device was produced Insert some type of malware that would be distributed from the top down So from the source of the supplier all the way to your computer Maybe via an update via something embedded in the system that you purchased Supply chain attacks are not new. They're a really challenging problem and Krebs on security did a good deep dive into this And I'll leave you as links you can read about some of the background into supply chain attacks But let's talk about operation shadow hammer Operation shadow hammer is the name given by Kaspersky who did some really good security research work No matter how you feel about politics and the quality of their actual product. They do some really in-depth great security Dives and they did this here with the ASUS because there was some suspicious Contacts going on and what I mean by that is the ASUS update software seem to be reaching out in some unique places And this is kind of what trips people into going. What's it doing? Why is it doing on there? So In short what happened here was the ASUS with their certificates And if you're not familiar with how certificates work if you are a Issuer of software the way your computer if you're running Windows or other operating systems have different methodologies But we're going to specifically talk about Windows where this attack occurred Here's your digital signature as they're highlighting here issued by DigiCert. How does that work? Well, they certify and sign the software and they use a public key encryption system So ASUS internally keeps this key very locked down within their software development teams We think really locked down. I know that's going to be subjective after what's going on here And then they sign it and then you can verify publicly that that was signed with that certificate and it cannot be reversed engineer That means you can trust software was Completely produced from ASUS and allowed to run on your computer with their available certificate There's certificates for Microsoft. There's certificate for ASUS. Most every major software vendor has this This is how you get that untrusted like if you were to compile a software yourself You'll see this do you trust this because there's no public certificate available It validates that it was produced by that company or that company just doesn't have a valid signing certificate or individual that coded this so ASUS Potentially had this system infected. We're not exactly sure how this that information is not there originally ASUS denied being infected at all and Kaspersky well, they seem to think otherwise now We don't know how they got into the ASUS network, but the assumption is there because of the signing so it's also These hot fixes distributed by the ASUS live update were automatically installed in computers who ran ASUS live update And Kaspersky has a deep dive into some of you know where those Versions where which versions they identified in there and where they found the hashes of Suspicion in there now what's interesting about this is it takes a lot of effort I feel and I don't know this you know subjectively to be true, but I Feel that ASUS probably has because a reputation in their company well is currently in jeopardy over this they have good security processes in there, but Somehow the ASUS system was pushing out these updates now the updates themselves that came through with the virus in there Do not necessarily pose that we can tell an immediate threat what they are doing is looking for a very an oddly specific Number of MAC addresses and MAC addresses are the unique identifiers like a serial number per se For the network interface card if it found one of 600 and we're talking millions of infections millions of downloads, but only 600 MAC addresses in a list This list of MAC addresses would cause them to go out to a website that was registered called ASUS hotfix Which has now been taken down So we don't really have the clearest answers because it's been taken down how many of these computers of these 600 were out there and contacted that command and control server So if you were among the 600 people you probably are someone who's important now the parts We just don't know how did they come up with the list of 600? guesses and Speculation is going to lead to there was a purchase order from another company or a government entity of ASUS computers ASUS laptops per se And they have that list of MAC addresses of those computers However, they obtained them, but they can't touch them. So in a lot of security environments They can't touch those laptops and they come sealed from ASUS direct delivery However, that process is handled and someone verifies, you know seals aren't cut because that becomes a very obvious problem When a laptop is delivered and it appears to have been tampered with the company, especially if it's a security company may reject said laptop So the next thing to do would be have something already installed because you compromise ASUS This is supply chain and when those 600 Devices get online They then call out to this command and control server and then do something else now Why this is concerning is the ASUS live update tool also does in performance BIOS updates This could present because we don't know because a very strong risk of modifying something in a BIOS So even if these companies then practice really tight security by wiping and updating these systems That would still allow the system to install whatever mail where they did because many of these UFI bios Does have high-level access well They do have high-level access and sometimes have storage components that allow them to install other software even after you reload this so this is a Really big problem mother board did a this article and it's a long read is great though They have more details than Kaspersky and Kaspersky kind of advertising per se they're Telling you they're going to drop a lot more at the upcoming event. They're going to be a security conference Like I said Kaspersky like any of these companies. They want to drag it out in the news They want to make sure they get some attention. That's it not a bad thing really a lot of these security companies keep their name in the news by Hacked tracking down these threats and reporting on them, which is great because well as a public We really want to know about these threats and see if we're at risk now a couple questions that I've seen pop up in forums And things like that has been you know am I affected if I'm running Linux? No, you're not because to my knowledge I've never seen any ASUS updates come through on Linux I don't think they have any repositories also if you're using only the Debian repositories for example They only allow open source in the default repository. So if you've added something special Yeah, but if you're just running a standard server and you're running on an ASUS computer Shouldn't be an issue at all. No evidence of that and this is one of the Reasons open source offers a lot more security when you're doing it because the supply chain on the open source It's all open source They code it if someone were to put something into the source code the binaries wouldn't match And this is referred to as reproducible builds basically you take the source code Which can be audited and if someone were to put a series of 600 MAC addresses as a back door in there It wouldn't match the reproducible build of the binary that actually gets delivered to the customer This is why doing code very transparently helps with security because it really presents a challenge for someone to put something in I mean doesn't mean there's not bugs in code That's a separate issue finding a bug finding a zero day as an attack point really difficult really challenging But getting all the way up into the supply chain where you can just distribute it and then fly out of the radar by only Despite having this massive infection of machines and opportunity only looking for 600 MAC addresses means most people would have never looked for Some type of one single call out of a couple computers It wouldn't have raised a red flag your security stack top to bottom Wouldn't have noticed it because it's not something flagged now Going back a little bit of history and I'll leave this link as well and this this is in here from the Motherboard article apparently someone did notice something strange. So this has been going on for a little while at about nine months nine months ago ASUS force update or you see trying to do some mystery update But won't say what and it kept popping up So this may have been where they pushed it out in terms of the updates But I left a link to virus total is this is an example where There was nothing suspicious because this all relies on signatures Or even these higher end AI AI antivirus systems that try to do pattern recognition When you're only pushing out signed updates that aren't doing anything suspicious because they don't activate until they find that 600 MAC addresses before they do anything that would seem even slightly unusual There's not enough data to go on so the updates are trusted. They're signed and installed So it's really an interesting read read the supply chain This is a lot to think about. It's once again one of my calls for open source because people say, you know, can I trust Uh, oh, but yeah, when everything's done with reproducible builds This is going to be where we have to go into market to help protect against some of these supply chain attacks and this similar to Things I covered before related to the super micro alleged hacks talking about that supply chain You get similar things. They have schematics for the motherboards We're seeing a little bit more open sourcedness in that, you know open hardware forums So we can look at their hardware and it does what's expected because this is You know as security gets a little bit tighter with new challenges come up And This is the latest one here. This is just interesting But we're going to see more and more of these type of attacks And like I said in my opinion open source and being able to see the code and reproduce the binaries Is the way you help protect against this and have a better understanding of what's going on So good news is if you're running linux, you should be perfectly fine provided You didn't add any type of proprietary asus software to your system If you're running windows and you're running there New can pave if you're running a windows computer that got this new can pave because the other fear is The whoever's behind this in attributions really hard Will someone else take over knowing now that all these machines have this waiting on some next command Will someone else figure out how to send something else to these machines to make the activate differently Could there could this get out in the wild and create some big security nightmare just because 57,000 computers that they know of downloaded That's only people running kaspersky and the number could be bigger because the number of asus computers being According to the article here the fifth largest PC vendor So there is a Lot of potential out here if someone finds and is a way to exploit this further there could be problems So if you have an asus computer and you've run this live update at all or came with your computer Probably time to wipe and reload just to be safe if you're concerned at all about security highly recommend it. All right, thanks Thanks for watching If you like this video, give it a thumbs up if you want to subscribe to this channel to see more content Hit that subscribe button and the bell icon And maybe youtube will send you a notice when we post If you want to hire us for a project that you've seen or discussed in this video head over to launch systems.com Where we offer both business it services and consulting services and are excited to help you with whatever project you Want to throw at us? Also, if you want to carry on the discussion further head over to forums.laurance systems.com where we can keep the conversation going And if you want to help the channel out in other ways we offer affiliate links below which offer discounts for you And a small cut for us that does help fund this channel And once again, thanks again for watching this video and see you next time