Operation ShadowHammer: Tens of thousands of computers had a security backdoor installed via Asus' Live Update Utility
Most PC OEMs are known for including apps and utilities that are pre-installed on the computers they ship out to consumers. While most of these are minor annoyances, a group of hackers found some use in one of Asus’ pre-installed software packages. In what is being called ”Operation ShadowHammer,” these hackers were able to attach malware to Asus’ Live Update Utility that opened a backdoor on affected systems.
Researchers at security firm Kaspersky Lab discovered the attack in January of this year. The research team is still investigating the exact scope of the attack, dubbed “Operation ShadowHammer.” The attack took place between June 2018 and November 2018 and has affected at least 57,000 Kaspersky users. Kaspersky currently estimates that over 500,000 Windows computers have been affected.
The attack involved injecting a Trojan into a compromised Asus server and attaching it to legitimate Asus software that carried an authentic digital signature. This attack was used to open a backdoor on a targeted set of systems, identified by specific MAC addresses hard-coded into the malware.
The attack is reminiscent of two similar hacks that involved compromising trusted software bearing authenticate certificates. While most hacks use methods to run “unsigned,” or unverified, code on a target machine, Operation ShadowHammer (and the two previous attacks similar to this one) compromised trusted software. This made the attacks fly under the radar for long periods of time.
Kaspersky reached out to Asus on January 31st to notify the company of the issue. Researchers then met with Asus on February 14th, but Kaspersky told Motherboard that the 5th largest PC manufacturer has largely been unresponsive. According to Kaspersky, the two Asus certificates used in ShadowHammer are still valid and could be used for future injections.
Kaspersky has a tool you can use to check if your computer was one of those targeted in this attack. You can find it at their site here. If your computer has indeed been compromised, contact Kaspersky Labs at [email protected].