ASUS has just released fixes for vulnerabilities exploited by a malware called ShadowHammer, which was disguised as a security update.
The hardware vendor issued an official statement to respond to the recent media reports on the ASUS Live Update tool attack by Advanced Persistent Threat or APT groups.
ASUS Live Update Release Version 3.6.8
The company has also announced the release of ASUS Live Update version 3.6.8 that was rolled out on Tuesday, March 26. The update introduces fixes to prevent manipulation masquerading as software updates. It also adds measures that will prevent similar attacks and deployed an enhanced end-to-end encryption mechanism.
"We have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future," ASUS stated.
Operation ShadowHammer Malware
On Monday, reports of a new APT campaign detected by Kaspersky Lab was initially exposed by Kim Zetter. Global Research and Analysis or GReAT, Kaspersky Lab's team, has named this malicious campaign as Operation ShadowHammer.
There were over 57,000 Kaspersky users who have installed the backdoored version of ASUS Live Update. However, it estimated a much larger number of affected machines, with more than 1 million users who have downloaded and installed the backdoored utility on their computers.
According to GReAT in its report, ASUS Live Update is a pre-installed utility on most ASUS computers. It is used to automatically update the computer's BIOS, UEFI, drivers, and applications.
ASUS An Attractive Target For APT Groups
ASUS is the fifth largest PC vendor in 2017 in terms of unit sales, making it an extremely attractive target for APT groups that might be interested in its userbase.
As explained by GReAT, the attackers behind Operation ShadowHammer use infected ASUS Live Update binaries and targets "unknown pool of users, which were identified by their network adapters' MAC addresses." Kaspersky was successful in collecting 600 MACs from more than 200 samples that were used in this attack.
GReAT said that they communicated ASUS in January to inform them about the attack, but they did not maintain active communication channels with Kaspersky. They also failed to alert ASUS users about the attack.
For those who would want to check if their system is affected by ShadowHammer malware, ASUS provided an offline utility via its official website.