Reports from Kaspersky Lab researchers found out that computer giant ASUS installed a malicious backdoor last year on thousands of users’ computers after a server for its live software updates was hacked, and issued legitimate ASUS digital certificates with bogus software updates.
Experts Comments Below:
Colin Little, Senior Threat Analyst at Centripetal Networks:
“The ASUS backdoor exposes a trusted-vendor’s channel compromise distribution vector, which has historically caused damage world-wide. For example, the NotPetya cyber weapon, which was unleashed on the Ukraine in 2017, used the same distribution vector from a popular accounting software provider (ref https://www.bleepingcomputer.com/news/security/surprise-notpetya-is-a-cyber-weapon-its-not-ransomware/).
“When we consider this history, we plainly see the need for validation of trusted-vendor channels in addition to digital signatures (which, in this case, appears to have further concealed the malicious activity by providing a false sense of integrity) – not just for software and platform updates, but any “trusted” vendor network which has access into our environment requires validation above and beyond what the current offerings are. The world is lucky there was not a cyber weapon involved in the ASUS backdoor, such as with the NotPetya example.
“While many organizations debate whether to block or not due to interruption of the business process, it should be best practice to block. Removing the block is not difficult and can be accomplished quickly, better to be safe than have the network and data compromised which would be more of a consequence than blocking.”
Mike Jordan, CISSP, CRISC, CTPRP, Senior Director at The Shared Assessments Program:
“Supply chain cybersecurity threats from software update mechanisms can be particularly devastating. This is a very similar method that the NotPetya malware used to cause over a billion dollars in costs and counting by hacking a third party’s software. It’s becoming increasingly important that companies add reviews of their third party software vendors’ software update mechanisms as part of their due diligence procedures.
“Our members are discussing how to best address these threats in our working groups, especially as they pertain to Operational Technology (OT) risks to the plant floors of manufacturing, utility, and energy companies. We’ve found that the best way to address these kinds of third party risks is by working together with all parties, including the purchasers, the vendors, and the service providers that service and secure them. By working together on a common language and expected practices, organizations can efficiently and effectively manage these multi-faceted risks.”
Kevin Bocek, VP Security Strategy and Threat Intelligence at Venafi:
“Code signing certificates are used to establish which updates and machines should be trusted, and they are in the applications that power cars, laptops, planes and more. Nearly every operating system is dependent on code signing, and we will see many more certificates in the near future due to the rise of mobile apps, DevOps and IoT devices.
However, cyber criminals see code signing certificates as a valuable target due to their extreme power. With a code signing certificate, attackers can make their malware seem trustworthy and evade threat protection systems.
Unfortunately, in many organizations the protection of code signing processes falls mostly to developers who are not prepared to defend these assets. In fact, most security teams aren’t even aware if their developers are using code signing or who may have access to the code signing process.
It’s imperative for organizations to know what code-signing certificates they have in use and where, especially as it’s likely we’ll see similar attacks in the future.”
Dr Darren Williams, CEO and Founder at BlackFog:
The ASUS malware attack clearly demonstrates that the threat landscape we see today is infinitely more sophisticated than just a few years ago, with trusted vendors becoming unwitting perpetrators. Cyber-attacks are increasingly using fileless based techniques that leave no trace on the device. That’s why organisations need a multi-layered strategy to prevent data loss and unauthorised data collection and profiling.
“Rather than trying to identify attackers by their fingerprints, companies need to look at multiple characteristics of an attack – analysing network traffic to detect unusual behaviour and eliminating these threats before they wreak havoc within an organisation.”
Tim Erlin, VP of Product Management and Strategy at Tripwire:
“While Asus may have released a fix, if you’ve already been compromised that might not be enough. Affected users need to find out whether the attackers have actually targeted them, and then they need to assess the extent of the compromise.
This attack leveraged a very broad platform, the Asus updates, but then strategically targeted a small set of those initially compromised for further attack. The fix from Asus doesn’t help us understand who was targeted and why.
We still have relatively little information about how Asus was compromised. Information sharing is an important means by which we get better as an industry.”
Martin Jartelius, CSO at Outpost24:
“This is a complex attack – the attackers ensured that only a very small group of targeted individuals were affected. Those targets were likely to have been identified by the MAC address of their systems, meaning the attacker must have been on the same network as them, or had previous access to their systems.
The attackers were prepared to use this access to disrupt a million plus users as collateral damage in order to get to about 600 pinpointed systems.
As we know little about the breach, not much can be said beyond speculation. If the code signing keys were present in the environment of the update servers, and accessible to the attackers, this could be a failure in a defense in depth setup. When an attacker is able to take control of your patch deployment, your code signing certificates and your infrastructure, something has gone adrift in the defense.”