tstockma 0 Posted March 26, 2019 Share Posted March 26, 2019 Synopsis: for Asus ShadowHammer, how long will Eset likely take to assess, issue detection tools, issue removal tools and/or instructions like, system re-image needed? Storyline: well this bites...bought a fairly high flying Asus laptop in December to replace a quite aged machine, and leisurely set it up with my highly customized setup...installed Eset Internet Security....today's security headlines show a high chance my Asus is contaminated via the supply-side hack to Asus's system update servers. How long does Eset usually take to issue detection & advice or tools to correct these kind of mass problems? At the moment that new laptop is a thousand dollar piece of junk, no way I'm using it for anything important involving logins into financial accounts, doing my taxes, running any kind of business, etc... Pretty much the biggest reasons for my buying a new laptop in the first place. Please anyone reading this, don't be tiresome with commenting this attack is likely not "activated" on my machine...for me compromised is compromised, which in my book means until & unless verifiably clean of infection & back-doors, it's unusable...estimated are upwards of a million machines received this "update" & if I'm one, I need it verifiably absent from the machine, or I'll be moving on from it. Link to comment Share on other sites More sharing options...
ESET Moderators Aryeh Goretsky 366 Posted March 26, 2019 ESET Moderators Share Posted March 26, 2019 Hello, Detection for Win32/ShadowHammer was added in threat detection database 19086. From reading about the threat, it's unclear how many computers received the first-stage downloader (reports give numbers varying from hundreds of thousands to millions, but such numbers tend to be highly inaccurate and can only be confirmed by ASUS itself). Those samples contained a hard-coded list of over 600 computers to target with the next stage, so by that criteria the actual number of affecting computers might only be... a handful. The time it takes for detection and remediation of any threat is always going to vary; it's kind of like asking, "how long is a piece of string?" The answer is always going to be arbitrary because some threats take longer to analyze than others. In this particular case, I would suggest keeping an eye on ASUS' product security advisory page at https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/, as well as relevant threads on their support forum here, here and perhaps here as well (I'm unsure if that latter one is related) as ASUS should hopefully have some idea of which of its hardware was affected. Regards, Aryeh Goretsky Link to comment Share on other sites More sharing options...
tstockma 0 Posted March 26, 2019 Author Share Posted March 26, 2019 Good to know, thanks - I have one question, it wasn't answered by the links you included (thanks for those too). Do you know if detection in 19086 ID's that first-stage downloader, or only other follow-on stages (or both, could be both). Thanks very much for the fast response too. Link to comment Share on other sites More sharing options...
itman 1,627 Posted March 26, 2019 Share Posted March 26, 2019 (edited) Per Kaspersky and noted below, just because you have a vulnerable device doesn't mean your infected. It appears this has been a targeted attack. Also Kaspersky has a utility to check if your device is one affected by this vulnerability: Quote According to our statistics, more than 57,000 users of Kaspersky Lab’s products have installed the backdoored utility, but we estimate it was distributed to about 1 million people total. The cybercriminals behind it were not interested in all of them, however — they targeted only 600 specific MAC addresses, for which the hashes were hardcoded into different versions of the utility. To check if your MAC address is on the target list, use our tool, which you’ll find at https://shadowhammer.kaspersky.com/. https://www.kaspersky.com/blog/shadow-hammer-teaser/26149/ Edited March 26, 2019 by itman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 198 Posted March 26, 2019 Most Valued Members Share Posted March 26, 2019 Quote Asus has also explained how it has “implemented a fix in the latest version (ver. 3.6.8) of the Live Update software,” that implements “an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future.” It’s good to see the company taking this so seriously and working fast to release a fix and ensure it doesn’t happen again, though the fact that there was a security hole in the software it includes in all of its laptops and PCs in the first place is still troubling. If you have an Asus laptop, make sure you have Live Update 3.6.8 installed. Asus has also released an online security diagnostic tool that will check your system to see if it is affected, and it suggests that anyone who’s concerned should run it and contact Asus Customer Service. Hopefully Asus’ quick response will prevent this nasty attack from spreading too far. https://www.techradar.com/news/asus-responds-to-hacking-attack Link to comment Share on other sites More sharing options...
itman 1,627 Posted March 26, 2019 Share Posted March 26, 2019 I forgot to post the following extract from the Kaspersky blog article. It is not only Asus affected by this issue: Quote While investigating this attack, we found out that the same techniques were used against software from three other vendors. Of course, we have notified ASUS and other companies about the attack. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 198 Posted March 26, 2019 Most Valued Members Share Posted March 26, 2019 Just now, itman said: I forgot to post the following extract from the Kaspersky blog article. It is not only Asus affected by this issue: It's similar to what happened to CCleaner in the recent months Link to comment Share on other sites More sharing options...
itman 1,627 Posted March 26, 2019 Share Posted March 26, 2019 1 minute ago, Rami said: It's similar to what happened to CCleaner in the recent months Yes, a update server was hacked. And since multiple vendors were compromised, it is hoped the ongoing investigation will uncover how it was done. In the CCleaner incident, the breach occurred during the transition period after the Piriform to Avast merger. At least this was a plausible explanation as to how such a security breach could have occurred. This incident appears different and more serious. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 198 Posted March 26, 2019 Most Valued Members Share Posted March 26, 2019 Just now, itman said: Yes, a update server was hacked. And since multiple vendors were compromised, it is hoped the ongoing investigation will uncover how it was done. In the CCleaner incident, the breach occurred during the transition period after the Piriform to Avast merger. At least this was a plausible explanation as to how such a security breach could have occurred. This incident appears different and more serious. Indeed what makes it more weird that Kaspersky states that they have told ASUS about the security hole months ago and ASUS just didn't re-act to it till now, I wonder what stopped them from doing so or fixing the problem before. Link to comment Share on other sites More sharing options...
itman 1,627 Posted March 26, 2019 Share Posted March 26, 2019 (edited) 9 minutes ago, Rami said: Indeed what makes it more weird that Kaspersky states that they have told ASUS about the security hole months ago and ASUS just didn't re-act to it till now, I wonder what stopped them from doing so or fixing the problem before. My past dealings with Taiwanese hardware manufacturers mirror this; they won't fix something until its absolutely necessary. Edited March 26, 2019 by itman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 198 Posted March 26, 2019 Most Valued Members Share Posted March 26, 2019 45 minutes ago, itman said: My past dealings with Taiwanese hardware manufacturers mirror this; they won't fix something until its absolutely necessary. And now they took a hit to their head with a possible infection of 1 million of their own devices , so what benefit did they get with their actions I don't really know. Link to comment Share on other sites More sharing options...
itman 1,627 Posted March 26, 2019 Share Posted March 26, 2019 (edited) ASUS Releases Security Update for Live Update Software https://www.us-cert.gov/ncas/current-activity/2019/03/26/ASUS-Releases-Security-Update-Live-Update-Software Edited March 26, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,627 Posted March 26, 2019 Share Posted March 26, 2019 (edited) As to why this issue wasn't detected earlier: Quote The reason that it stayed undetected for so long is partly due to the fact that the trojanized updaters were signed with legitimate certificates (eg: “ASUSTeK Computer Inc.”). The malicious updaters were hosted on the official liveupdate01s.asus[.]com and liveupdate01.asus[.]com ASUS update servers. Why ASUS is partially to blame: Quote We have contacted ASUS and informed them about the attack on Jan 31, 2019, supporting their investigation with IOCs and descriptions of the malware. Suspected culprit: Quote Although precise attribution is not available at the moment, certain evidence we have collected allows us to link this attack to the ShadowPad incident from 2017. The actor behind the ShadowPad incident has been publicly identified by Microsoft in court documents as BARIUM. BARIUM is an APT actor known to be using the Winnti backdoor. Recently, our colleagues from ESET wrote about another supply chain attack in which BARIUM was also involved, that we believe is connected to this case as well. https://securelist.com/operation-shadowhammer/89992/ Edited March 26, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,627 Posted March 26, 2019 Share Posted March 26, 2019 Some additional information. Only ASUS notebooks affected: Quote The company also said that "only the version of Live Update used for notebooks has been affected," with all other devices not being affected by the supply chain attack. https://www.bleepingcomputer.com/news/security/asus-admits-its-live-update-utility-was-backdoored-by-apt-group/ Link to comment Share on other sites More sharing options...
itman 1,627 Posted March 27, 2019 Share Posted March 27, 2019 To "add a bit of extra icing on this hack cake" comes this shocking revelation: https://techcrunch.com/2019/03/27/asus-hacking-risk/ . Well, not really that shocking in that as the article notes, such security breaches are currently occurring much to frequently. Link to comment Share on other sites More sharing options...
ESET Moderators Aryeh Goretsky 366 Posted April 8, 2019 ESET Moderators Share Posted April 8, 2019 Hello, For this particular case, detection was added no later than March 25, 2019 at around 7:21:03 PM [GMT]. I cannot be more precise than than because there may have been some cloud-based technologies that detected it before then. That time, however, is when detection was added to the threat database and pushed out via ESET's update servers to endpoints around the world. As I mentioned in my previous message, there is no fixed answer to how long it takes to add detection for a threat and remediate it, because each attack is going to be different in complexity, and, as such, require varying amounts of time to add detection for it. And neutralizing the threat once it is found may be much more complicated, or it may be much more simpler. One suggestion I have is to keep an eye on things like ESET's WeLiveSecurity blog and Customer Advisories page, as these are going to contain the latest information about threats. Regards, Aryeh Goretsky 20 minutes ago, jivailiytaasa said: How long does ESET usually take to issue detection & advice or tools to correct these kind of mass problems? At the moment that new laptop is a thousand dollar piece of junk, no way I'm using it for anything important involving logins into financial accounts, doing my taxes, running any kind of business, etc... Pretty much the biggest reasons for my buying a new laptop in the first place. Link to comment Share on other sites More sharing options...
itman 1,627 Posted April 8, 2019 Share Posted April 8, 2019 48 minutes ago, jivailiytaasa said: At the moment that new laptop is a thousand dollar piece of junk, no way I'm using it for anything important involving logins into financial accounts, doing my taxes, running any kind of business, etc... Did you apply the ASUS software patch as noted in a previous reply in the thread: https://www.asus.com/News/hqfgVUyZ6uyAyJe1 Link to comment Share on other sites More sharing options...
itman 1,627 Posted April 16, 2019 Share Posted April 16, 2019 (edited) ASUS Updates Security Certificates of Motherboards, Graphics Cards, Mini PCs, Workstations and Servers Quote ASUS is releasing this advisory to provide information related to the new implementation of a tiered certificate structure that upgrades the security infrastructure of our expanding software ecosystem. The upgrade requires the current code-signing certificate of several ASUS products to be revoked. This revocation can cause some existing software utilities to trigger a Windows Security dialog box, and may prevent legitimate ASUS programs, such as Aura, AI Suite III, GPU Tweak II and others, from running normally when users attempt to execute the associated 'Setup.exe' or 'AsusSetup.exe' file. The new versions of each ASUS software update, code-signed with a new digital certificate are now available for download at the link provided below. Once the latest version of the respective software is downloaded, the relevant program can be installed and run normally. Further information can be found in the Advisory FAQ section below. Users who have any inquiries or concerns are welcome to contact ASUS Customer Service. ASUS apologizes for any inconvenience caused by this update. Updated Software List Download links for each software program can be found here: https://www.asus.com/latest-software-update/ https://www.techpowerup.com/254629/asus-updates-security-certificates-of-motherboards-graphics-cards-mini-pcs-workstations-and-servers Edited April 16, 2019 by itman Link to comment Share on other sites More sharing options...
Recommended Posts