Hackers dropped a secret backdoor in Asus’ update software

Hackers targeted and compromised “hundreds of thousands” of Asus computer owners by pushing a backdoored update software tool from the company’s own servers.

The bombshell claims, first reported by Motherboard, said the hackers digitally signed the Asus Live Update tool with one of the company’s own code-signing certificates before pushing it to Asus’ download servers, which hosted the backdoored tool for months last year. The malicious updates were pushed to Asus computers, which has the software installed by default.

TechCrunch can confirm much of Motherboard’s reporting after we learned of the attack some weeks ago from a source with direct knowledge of the incident.

Kaspersky, which first found the backdoored software, said the malicious update tool could affect over a million users. The backdoor would scan a device for a target’s unique MAC address and pulls a malicious payload from a command and control server.

It’s not known exactly what payload was delivered to victims, however.

Motherboard’s reporting said the backdoor was scanning for some 600 MAC addresses, matching what TechCrunch has learned, and was likely targeted to infect only a small number of victims rather than cause infections on a large scale.

Symantec confirmed Kaspersky‚Äôs findings, describing it to us as a software supply chain attack. “Our findings suggest the trojanized version of the software were sent to Asus customers between June and October,” spokesperson Jennifer Duffourg told TechCrunch.

The security company said it saw the backdoored software deployed between June and late October 2018, affecting 13,000 of its customers.

The compromised file with Asus’ certificate (Image: Kaspersky)

It’s believed the hackers had access to Asus’ own certificates to sign the malware through Asus’ sprawling supply chain, a factor line of developers and vendors from around the world trusted to develop software and provide components for Asus’ computers. These so-called supply chain attacks are particularly difficult to detect because it often involves targeting a company insider or infiltrating the company directly.

One of the backdoored files used a certificate created in mid-2018 but which was different from Asus’ regularly used certificates.

According to Motherboard’s report the certificates are still active and have not been revoked, posing a continued risk to Asus customers.

The backdoor bears a resemblance to CCleaner, which similarly used a code-signing certificate to hide any malicious component. Some 2.3 million customers were affected by that backdoor, blamed on hackers who reportedly targeted tech giants.

Asus has not informed customers of the vulnerability after it was discovered earlier this year.

Motherboard said Kaspersky reported the backdoored software on January 31. Taiwan-based Asus is said to have around a 6 percent share of the computer market, according to Gartner, shipping tens of millions of computers each year.

When reached last week about the claims, Asus spokesperson Gary Key had no immediate answer to several questions we had and referred comment to its headquarters.

Kaspersky’s Sarah Kitsos did not comment on the findings.