Operation ShadowHammer sounds like a military strike. That or an attempt to steal Thor’s hammer, Mjolnir. However, it was none of those things. How this attack was carried out certainly warrants the name though. In short, Operation ShadowHammer is a supply chain attack that infiltrated ASUS computers over the last few months of 2018.
What Is A Supply Chain Attack?
Some cyber-attacks attempt to kick down the front door of your system. Fortunately, security improvements across systems prevent a lot of those attacks from succeeding. Most successful cyber-attacks find a way to slip around that front door. The most common method is fooling an unwitting user into clicking something harmful.
A supply chain attack is less common mostly because it’s harder to pull off. On the flip side, they’re incredibly effective. This type of attack specifically targets some other software or service vendor that passes data to your computer. Imagine thieves posing as the cleaning crew to your building. With convincing ID, they walk right through the front door, and security thinks nothing of it.
Enter Operation ShadowHammer
In January, Kaspersky Lab discovered “a sophisticated supply chain attack involving the ASUS Live Update Utility”. They discovered Operation ShadowHammer in January and notified ASUS immediately. Sadly, ASUS insisted no such attack occurred. After Kaspersky Lab offered to help, ASUS wanted them to sign an NDA. Nothing more was heard from ASUS after that. Kaspersky Lab opted to make Operation ShadowHammer public knowledge earlier this week.
The ASUS Live Update Utility comes pre-installed on nearly every ASUS computer. It helps keep ASUS computers updated with the latest drivers, BIOS, etc. Ordinarily, this is a good thing. In this case, attackers repurposed it to do something else.
The actors in this attack found a means of infecting software the utility installs. They effectively added malicious code and turned it into a trojan. Additionally, stolen digital certificates from ASUS made it appear to be legitimate software signed by ASUS. Because of this, most endpoint protection solutions skipped right over the malicious code even after staring it in the face.
A Focused Attack
Researchers estimate that more than 500 millions Windows machines installed this software. Attackers now had a backdoor into ASUS systems around the world. Fortunately, for most ASUS users, the attackers seemed to have 600 specific targets in mind according to a list of MAC addresses within the malware. Once a targeted device was found, the software called a server operated by the attackers to install additional malware. So far, nothing is known about those 600 targets.
Supply Chain Attacks Becoming More Common
Two similar attacks in 2017 prompted the creation of a supply chain task force by the DHS. The actors in one of those attacks appear to be tied to this latest attack on ASUS. This attack led to a search for similar software. Three other vendors in Asia were infiltrated using similar methods.
According to Vitaly Kamluk of Kaspersky Lab, “Techniques used to achieve unauthorized code execution… suggest that ShadowHammer is probably related to the BARIUM APT, which was previously linked to the ShadowPad and CCleaner incidents, among others.”
Do You Own An ASUS Computer?
If you have an ASUS computer, here are a few steps to see if you were affected.
- Check Kaspersky Lab’s list to see if you were targeted. You’ll need to locate your MAC address. Instructions are provided by Kaspersky Lab.
- Downloaded the latest version of Live Update. ASUS says they’ve resolved the infiltration. If you have difficulties installing it via the current Live Update tool, you can download it manually from the ASUS website.
If you’re a client of Pit Crew IT Services, just contact us. We’ve probably already checked this for you, but feel free to verify with us anyway. If you’re not a current client, what are you waiting for? Put your mind at ease and stop worrying about things like this. That’s what we’re here for. Just request a free consultation below, and we’ll take care of the rest.