(The investigation is still in progress, Kaspersky said.) Kaspersky said that the ShadowHammer attack had been detected worldwide, most commonly in Russia and Germany, with about five percent of victims in the United States.įrom a security standpoint, the most disturbing aspect of the malware is that it was digitally signed with legitimate security certificates, the stamp of authenticity that would make them indistinguishable from a real update. It will publish a full report to Securelist at that time as well–hopefully with details about the three other vendors.What security vendor Kaspersky is calling ShadowHammer was actually a targeted attack at a small number of users. The company also plans to present more details about the attack at the SAS 2019 conference on April 8 in Singapore. More information about this attack is available on Kaspersky’s Securelist website. We suspect more information will be revealed after they’ve had a chance to protect their users.
Kaspersky said that “the same techniques were used against software from three other vendors” and added that it notified them about the attack, but it didn’t say who the vendors are or how they responded. The outlet noted that Symantec confirmed Kaspersky’s findings and offered more details about how the researchers were finally able to uncover this attack. The supply chain attack was first reported by Motherboard, which said it sent Asus three emails about Kaspersky’s findings but hasn’t received a response.
Yet, the unidentified threat actor only appeared to be interested in a very small subset of those devices: Kaspersky said they “targeted only 600 specific MAC addresses, for which the hashes were hardcoded into different versions of the utility.” That means as many as 1 million people were compromised to target just 600. (Kaspersky managed it, though, which is why disclosures like these are also thinly veiled advertisements.) The company said it detected the malware on 57,000 devices but estimated that 1 million were affected. It also had the same file size as the official version of the utility.Īll those precautions made the malicious version of the Asus Live Update Utility incredibly difficult to detect. This malicious version of the tool was hosted on the Asus update server and signed with a legitimate certificate. The researchers said that someone modified the Asus Live Update Utility, added a back door and then distributed it via official channels. The security firm said this attack, which it dubbed Operation ShadowHammer, “seems to be one of the biggest supply-chain incidents ever,” after the CCleaner attack of 2017. Kaspersky Labs revealed today that an unidentified threat actor modified the Asus Live Update Utility to gain access to target devices.