Over 57,000 users, and possibly up to a million, have downloaded and installed a version of the Asus Live Update utility that was poisoned with a backdoor and hosted on the official Asus servers.
What security vendor Kaspersky is calling ShadowHammer was actually a targeted attack at a small number of users. (The investigation is still in progress, Kaspersky said.) Kaspersky said that the ShadowHammer attack had been detected worldwide, most commonly in Russia and Germany, with about five percent of victims in the United States.
From a security standpoint, the most disturbing aspect of the malware is that it was digitally signed with legitimate security certificates, the stamp of authenticity that would make them indistinguishable from a real update. The Asus Live Update software is designed to look for new versions of the programs released on the Asus website and then automatically update a PC’s BIOS, drivers, and applications. If ShadowHammer allowed the PC to download malicious BIOS software from another site, that software could take over the entire PC. The Live Update software can be downloaded from the Asus site, and it also comes pre-loaded on PCs.
The target, Kaspersky said, was the supply chain, a network of companies supplying parts to a particular product. It could involve any number of manufacturing partners. It isn’t clear who or what ShadowHammer was designed to attack, but the security firm said it found a link to what it called BARIUM, involved in a similar supply-chain attack in 2017 called ShadowPad. That attack targeted the financial industry.
Kaspersky didn’t specifically say whether its software would block the attack, but the company said it had designed a tool to determine whether your PC was one of the targeted machines—about 600 addresses in all. To do so, you can download an executable file with a list of the MAC addresses, or check your MAC address manually against a list that’s been published online. (To find your MAC address, open the Windows 10 Settings menu, then navigate to Settings > Network & Internet and then View your network properties. You’ll find that Physical address (MAC) about three rows down.)
We've reached out to Asus for comment, and will update this story when we hear back.
What this means for you: Given that Asus is usually considered to be the fifth-largest PC vendor in the world, and that ShadowHammer used authentic certificates, the attack is significant. Fortunately, you’re unlikely to be a target. The earlier ShadowPad triggered the download of malware only if a target was considered “interesting,” and it’s likely your PC isn’t. Still, if you’re concerned, Asus Live Update can apparently be safely uninstalled: Asus describes the process here, though it can be performed normally though Windows as well.