ASUS releases fix for Live Update tool abused in ShadowHammer attack

ASUS releases Live Update 3.6.8. Also says that "a very small" number of users were impacted.

ASUS

Logo: ASUS // Composition: ZDNet

ASUS released today a new version of the Live Update tool that contains fixes for vulnerabilities that were exploited by a nation-state group to deploy the ShadowHammer backdoor on up to one million Windows PCs.

ASUS Live Update version 3.6.8 contains the aforementioned fixes, the hardware vendor announced in a press release today.

The company said ASUS Live Update v3.6.8 "introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism."

ASUS also said it updated and strengthened its "server-to-end-user software architecture to prevent similar attacks from happening in the future."

ASUS: Only notebook users were targeted

The company's statement comes after tech news site Motherboard revealed yesterday that a group of nation-state hackers compromised ASUS' Live Update infrastructure and delivered a backdoored version of the ASUS Live Update tool.

Initial assessments by Kaspersky Lab and Symantec estimated the number of infected users ranging between 500,000 and 1,000,000 users.

However, in its press release today, ASUS downplayed this estimate and said that just "a small number of devices have been implanted with malicious code."

The company said that only the Live Update tool used with notebooks had been backdoored, and not all instances of its app --used as a firmware update utility on millions of devices across the world.

ASUS was unable to put a solid figure on the number of impacted users, despite having direct access to its own server logs and knowing of the hack for roughly two months.

Many questions remain unanswered

The ShadowHammer operation, as Kaspersky is calling it, infected hundreds of thousands of users, but the ShadowHammer malware hidden inside the Live Update tool didn't infect users with additional payloads unless their device had a specific MAC address.

Kaspersky said the backdoored Live Update versions they collected featured more than 600 unique MAC addresses on which the ShadowHammer malware would launch further attacks.

ASUS is now using this very advanced target selection mechanism as an excuse to downplay the incident's severity, completely ignoring that a hacker group had direct access to its software update servers in the process.

The company released Live Update 3.6.8, but it is unclear if updating to this version removes all traces of the older backdoored Live Update version.

Many other questions also remain unanswered. For example, how can a regular ASUS customer tell if they automatically received the backdoored version of the Live Update version or not? It's very likely that most users weren't in the scope of the ShadowHammer group, but do all ASUS users who received a backdoored version of the Live Update app need to wipe and reinstall systems to be fully safe, or updating to v3.6.8 is enough?

ASUS said its customer service has been reaching out to affected users and providing assistance, but the company has not offered any useful information otherwise.

In fact, the company's press release is somewhat disrespectful to both Kaspersky and its customerbase.

Instead of thanking the Russian antivirus vendor for discovering this security breach, ASUS linked to a web page on the website of one of Kaspersky's competitors, a page which contains generic information about nation-state hacking groups. ASUS customers who click this link will not receive any useful information about the ShadowHammer attack, and will be even more confused as to how this relates to the ShadowHammer attack, which isn't even mentioned on that page.

ASUS tried to silence Kaspersky

Kaspersky said the group behind this attack --believed to be Chinese hackers-- ceased all activity on ASUS' servers in November 2018, when they moved on to other operations.

The Russian company discovered the ASUS Live Update compromise in January, reached out to ASUS which failed to address the hack for nearly two months before the incident blew over in the press yesterday.

Furthermore, according to a tweet from the reporter who broke the story yesterday, ASUS had also tried to have Kaspersky sign a non-disclosure agreement (NDA) in an attempt to keep the incident quiet.

ASUS NDA

Instead of working with Kaspersky to address this incident in a coordinated matter and provide all the information users needed, ASUS tried to bury the story, and it backfired spectacularly.

Practices like these and ASUS' ignorance of any security-related issues is why the US Federal Trade Commission placed the company under mandatory security audits for the next 20 years back in 2016. That decision was in regards to the company's home router division, but it appears ASUS' PC division is in the same melting pot of bad security practices.

For now, until ASUS releases more detailed information, ASUS customers can update to Live Update 3.6.8.

They can also use apps provided by ASUS and Kaspersky that check if their device's MAC address was on the list of 600 MACs the ShadowHammer operation targeted. A web-based version of this app is also available on the Kaspersky website.

Related cyber-security coverage: