Jump to content
tstockma

ETA? Asus ShadowHammer detection & removal

Recommended Posts

Synopsis:  for Asus ShadowHammer, how long will Eset likely take to assess, issue detection tools, issue removal tools and/or instructions like, system re-image needed?

Storyline:  well this bites...bought a fairly high flying Asus laptop in December to replace a quite aged machine, and leisurely set it up with my highly customized setup...installed Eset Internet Security....today's security headlines show a high chance my Asus is contaminated via the supply-side hack to Asus's system update servers.

How long does Eset usually take to issue detection & advice or tools to correct these kind of mass problems?  At the moment that new laptop is a thousand dollar piece of junk, no way I'm using it for anything important involving logins into financial accounts, doing my taxes, running any kind of business, etc...    Pretty much the biggest reasons for my buying a new laptop in the first place.

Please anyone reading this, don't be tiresome with commenting this attack is likely not "activated" on my machine...for me compromised is compromised, which in my book means until & unless verifiably clean of infection & back-doors, it's unusable...estimated are upwards of a million machines received this "update" & if I'm one, I need it verifiably absent from the machine, or I'll be moving on from it.

Share this post


Link to post
Share on other sites

Hello,

Detection for Win32/ShadowHammer was added in threat detection database 19086.

From reading about the threat, it's unclear how many computers received the first-stage downloader (reports give numbers varying from hundreds of thousands to millions, but such numbers tend to be highly inaccurate and can only be confirmed by ASUS itself).  Those samples contained a hard-coded list of over 600 computers to target with the next stage, so by that criteria the actual number of affecting computers might only be... a handful.

The time it takes for detection and remediation of any threat is always going to vary; it's kind of like asking, "how long is a piece of string?"  The answer is always going to be arbitrary because some threats take longer to analyze than others.

In this particular case, I would suggest keeping an eye on ASUS' product security advisory page at https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/, as well as relevant threads on their support forum here, here and perhaps here as well (I'm unsure if that latter one is related) as ASUS should hopefully have some idea of which of its hardware was affected.

Regards,

Aryeh Goretsky

Share this post


Link to post
Share on other sites

Good to know, thanks - I have one question, it wasn't answered by the links you included (thanks for those too).  Do you know if detection in 19086 ID's that first-stage downloader, or only other follow-on stages (or both, could be both).

Thanks very much for the fast response too.

Share this post


Link to post
Share on other sites
Posted (edited)

Per Kaspersky and noted below, just because you have a vulnerable device doesn't mean your infected. It appears this has been a targeted attack. Also Kaspersky has a utility to check if your device is one affected by this vulnerability:

Quote

According to our statistics, more than 57,000 users of Kaspersky Lab’s products have installed the backdoored utility, but we estimate it was distributed to about 1 million people total. The cybercriminals behind it were not interested in all of them, however — they targeted only 600 specific MAC addresses, for which the hashes were hardcoded into different versions of the utility. To check if your MAC address is on the target list, use our tool, which you’ll find at https://shadowhammer.kaspersky.com/.

https://www.kaspersky.com/blog/shadow-hammer-teaser/26149/

Edited by itman

Share this post


Link to post
Share on other sites
Quote

 

Asus has also explained how it has “implemented a fix in the latest version (ver. 3.6.8) of the Live Update software,” that implements “an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future.”

It’s good to see the company taking this so seriously and working fast to release a fix and ensure it doesn’t happen again, though the fact that there was a security hole in the software it includes in all of its laptops and PCs in the first place is still troubling.

If you have an Asus laptop, make sure you have Live Update 3.6.8 installed.

Asus has also released an online security diagnostic tool that will check your system to see if it is affected, and it suggests that anyone who’s concerned should run it and contact Asus Customer Service.

Hopefully Asus’ quick response will prevent this nasty attack from spreading too far.

 

https://www.techradar.com/news/asus-responds-to-hacking-attack

 

Share this post


Link to post
Share on other sites

I forgot to post the following extract from the Kaspersky blog article. It is not only Asus affected by this issue:

Quote

While investigating this attack, we found out that the same techniques were used against software from three other vendors. Of course, we have notified ASUS and other companies about the attack.

 

Share this post


Link to post
Share on other sites
Just now, itman said:

I forgot to post the following extract from the Kaspersky blog article. It is not only Asus affected by this issue:

 

It's similar to what happened to CCleaner in the recent months

Share this post


Link to post
Share on other sites
1 minute ago, Rami said:

It's similar to what happened to CCleaner in the recent months

Yes, a update server was hacked. And since multiple vendors were compromised, it is hoped the ongoing investigation will uncover how it was done.

In the CCleaner incident, the breach occurred during the transition period after the Piriform to Avast merger. At least this was a plausible explanation as to how such a security breach could have occurred. This incident appears different and more serious. 

Share this post


Link to post
Share on other sites
Just now, itman said:

Yes, a update server was hacked. And since multiple vendors were compromised, it is hoped the ongoing investigation will uncover how it was done.

In the CCleaner incident, the breach occurred during the transition period after the Piriform to Avast merger. At least this was a plausible explanation as to how such a security breach could have occurred. This incident appears different and more serious. 

Indeed what makes it more weird that Kaspersky states that they have told ASUS about the security hole months ago and ASUS just didn't re-act to it till now, I wonder what stopped them from doing so or fixing the problem before.

Share this post


Link to post
Share on other sites
Posted (edited)
9 minutes ago, Rami said:

Indeed what makes it more weird that Kaspersky states that they have told ASUS about the security hole months ago and ASUS just didn't re-act to it till now, I wonder what stopped them from doing so or fixing the problem before.

My past dealings with Taiwanese hardware manufacturers mirror this; they won't fix something until its absolutely necessary.

Edited by itman

Share this post


Link to post
Share on other sites
45 minutes ago, itman said:

My past dealings with Taiwanese hardware manufacturers mirror this; they won't fix something until its absolutely necessary.

And now they took a hit to their head with a possible infection of 1 million of their own devices , so what benefit did they get with their actions I don't really know.

Share this post


Link to post
Share on other sites
Posted (edited)

As to why this issue wasn't detected earlier:

Quote

The reason that it stayed undetected for so long is partly due to the fact that the trojanized updaters were signed with legitimate certificates (eg: “ASUSTeK Computer Inc.”). The malicious updaters were hosted on the official liveupdate01s.asus[.]com and liveupdate01.asus[.]com ASUS update servers.

Why ASUS is partially to blame:

Quote

We have contacted ASUS and informed them about the attack on Jan 31, 2019, supporting their investigation with IOCs and descriptions of the malware.

Suspected culprit:

Quote

Although precise attribution is not available at the moment, certain evidence we have collected allows us to link this attack to the ShadowPad incident from 2017. The actor behind the ShadowPad incident has been publicly identified by Microsoft in court documents as BARIUM. BARIUM is an APT actor known to be using the Winnti backdoor. Recently, our colleagues from ESET wrote about another supply chain attack in which BARIUM was also involved, that we believe is connected to this case as well.

https://securelist.com/operation-shadowhammer/89992/

Edited by itman

Share this post


Link to post
Share on other sites

Some additional information. Only ASUS notebooks affected:

Quote

The company also said that "only the version of Live Update used for notebooks has been affected," with all other devices not being affected by the supply chain attack.

https://www.bleepingcomputer.com/news/security/asus-admits-its-live-update-utility-was-backdoored-by-apt-group/

Share this post


Link to post
Share on other sites

Hello,

For this particular case, detection was added no later than March 25, 2019 at around 7:21:03 PM [GMT].  I cannot be more precise than than because there may have been some cloud-based technologies that detected it before then.  That time, however, is when detection was added to the threat database and pushed out via ESET's update servers to endpoints around the world.

As I mentioned in my previous message, there is no fixed answer to how long it takes to add detection for a threat and remediate it, because each attack is going to be different in complexity, and, as such, require varying amounts of time to add detection for it.  And neutralizing the threat once it is found may be much more complicated, or it may be much more simpler.

One suggestion I have is to keep an eye on things like ESET's WeLiveSecurity blog and Customer Advisories page, as these are going to contain the latest information about threats.

Regards,

Aryeh Goretsky
 

20 minutes ago, jivailiytaasa said:

How long does ESET usually take to issue detection & advice or tools to correct these kind of mass problems?  At the moment that new laptop is a thousand dollar piece of junk, no way I'm using it for anything important involving logins into financial accounts, doing my taxes, running any kind of business, etc...    Pretty much the biggest reasons for my buying a new laptop in the first place.

 

Share this post


Link to post
Share on other sites
48 minutes ago, jivailiytaasa said:

At the moment that new laptop is a thousand dollar piece of junk, no way I'm using it for anything important involving logins into financial accounts, doing my taxes, running any kind of business, etc...  

Did you apply the ASUS software patch as noted in a previous reply in the thread: https://www.asus.com/News/hqfgVUyZ6uyAyJe1

Share this post


Link to post
Share on other sites

ASUS Updates Security Certificates of Motherboards, Graphics Cards, Mini PCs, Workstations and Servers

Quote

ASUS is releasing this advisory to provide information related to the new implementation of a tiered certificate structure that upgrades the security infrastructure of our expanding software ecosystem. The upgrade requires the current code-signing certificate of several ASUS products to be revoked. This revocation can cause some existing software utilities to trigger a Windows Security dialog box, and may prevent legitimate ASUS programs, such as Aura, AI Suite III, GPU Tweak II and others, from running normally when users attempt to execute the associated 'Setup.exe' or 'AsusSetup.exe' file.

The new versions of each ASUS software update, code-signed with a new digital certificate are now available for download at the link provided below. Once the latest version of the respective software is downloaded, the relevant program can be installed and run normally. Further information can be found in the Advisory FAQ section below. Users who have any inquiries or concerns are welcome to contact ASUS Customer Service. ASUS apologizes for any inconvenience caused by this update.

Updated Software List
Download links for each software program can be found here: https://www.asus.com/latest-software-update/

https://www.techpowerup.com/254629/asus-updates-security-certificates-of-motherboards-graphics-cards-mini-pcs-workstations-and-servers

Edited by itman

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...