Geekly Articles each Day
📜 ⬆️ ⬇️

Cybercriminals controlled ASUS Live Update for five months



According to Kaspersky Lab, hackers from the APT-group ShadowHammer monitored the ASUS Live Update service for 5 months and infected more than half a million computers around the world.

Researchers at Kaspersky Lab found that last year, attackers hacked into the ASUS server, which was responsible for updating the company's software. The attackers placed on the server a malicious file with backdoor, signed with a valid ASUS certificate.

05e6a0be5ac359c7ff11f4b467ab20fc compromised certificate:
')
image
[image - securelist.com]

Most of the infected objects detected by Kaspersky Lab experts were in Russia (about 18%). According to Symantec, at least 13,000 computers belonging to the company's customers were infected with an update of ASUS malicious software last year in the United States.

Statistics of infections:

image
[image - securelist.com]

It is assumed that the attackers had to compromise about 600 targets that were identified by the MAC addresses of the computers.

The malware looked for target systems by their unique MAC addresses. Once in the system and finding one of these target addresses, the malware accessed the command and control server on which the attackers worked, after which additional malware was installed on these machines.

The following nodes were involved in this APT:

&C:
asushotfix[.]com
141.105.71[.]116

Spread:
hxxp: //liveupdate01.asus [.] com / pub / ASUS / nb / Apps_for_Win8 / LiveUpdate / Liveupdate_Test_VER365.zip
hxxps: //liveupdate01s.asus [.] com / pub / ASUS / nb / Apps_for_Win8 / LiveUpdate / Liveupdate_Test_VER362.zip
hxxps: //liveupdate01s.asus [.] com / pub / ASUS / nb / Apps_for_Win8 / LiveUpdate / Liveupdate_Test_VER360.zip
hxxps: //liveupdate01s.asus [.] com / pub / ASUS / nb / Apps_for_Win8 / LiveUpdate / Liveupdate_Test_VER359.zip
“This attack shows that the trust model we use, based on well-known vendor names and verifying digital signatures, cannot guarantee that you are protected from malicious programs,” said Vitaly Kamluk, director of the Asia-Pacific region for global research and analysis “Laboratory Kaspersky. He noted that ASUS had not commented on the hacking and disregarded reports from Kaspersky Lab experts about the hacked service and compromised certificate.
Additional inquiries to Motherboard and Symantec have been sent to the company.

A utility to check if your MAC address is in the list of priority targets. Online check .

Source: https://habr.com/ru/post/445256/

More articles:


All Articles