![]() ![]() The backdoor in the non-ASUS-related cases was straightforward, designed to check whether it has administrative privileges and to gather various information from the infected machine. The injection methods differed between the ASUS and the video games incidents. While investigating the incident, Kaspersky also stumbled upon similar supply-chain incidents that involved video games, with some information on the case shared publicly by ESET in a March 2019 report. One of the targeted MAC addresses was shared by all users of a virtual Ethernet adapter created by a Huawei USB 3G modem, model E3372h. The investigation revealed that the attackers targeted the users of multiple vendors, although they appear to have focused on specific ones. The backdoor, however, was meant to be installed on only 600 select devices, identified by their MAC address, the security researchers say. Kaspersky detected the Trojanized utility on tens of thousands of devices running its security products, but says that many others might have been affected. The researchers found over 230 samples associated with the attack. ![]() ![]() The modified binaries included a Trojan downloader designed to fetch and install a backdoor from the file’s resources. Using legitimate digital certificates, the hackers modified only tiny parts of the file to keep its size and ensure they would not trigger security alerts. Kaspersky’s investigation indeed revealed that the hackers tampered with a legitimate binary that was initially compiled in 2015. One user even observed that the file was actually dated 2015, thus being much older than the version running on their device, and pointed out that the version of the utility being served to them was known to contain vulnerabilities and to be susceptible to being tricked into executing code. While no official reports on the matter were published, users posted on online forums such as reddit, complaining of receiving a strange “critical” update for ASUS Live Update. ASUS has since released software updates to address the issue.įollowing an initial report last month, Kaspersky Lab has published additional details on their investigation into the attack, revealing that the first attempts to compromise users through the backdoored ASUS Live Update utility took place in June 2018. It launched an investigation with Czech intelligence officials and police that included quietly monitoring the attacker’s activity rather than immediately evicting it from the network.The sophisticated supply-chain attack called Operation ShadowHammer that targeted ASUS users can be linked to the "ShadowPad" threat actor and the CCleaner incident, Kaspersky Lab’s security researchers say.ĭiscovered in January 2019, Operation ShadowHammer relied on a Trojanized version of the ASUS Live Update utility to install a backdoor on specific devices, selected based on their MAC addresses. The hacker or hackers had been trying to get into Avast’s network since May, but the company did not notice something was amiss until Sept. The more recent attack on CCleaner was also persistent. The goal of the operation, which analysts believe was the work of a Chinese state-sponsored group, was reportedly to steal intellectual property from CCleaner customers. In the 2017 hack, the attackers signed their malware with a legitimate Avast certificate, a technique that is the hallmark of a clever supply-chain breach. The 2017 breach of CCleaner is often cited by security experts to illustrate the threat of wide-ranging supply-chain hacks. “We do not know if this was the same actor as before and it is likely we will never know for sure,” she wrote. “t is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose,” Baloo wrote in a blog post. Avast, which boasts of 400 million users of its products around the world, said it will study its network logs to learn more about the intrusion. Those measures, Avast CISO Jaya Baloo assured customers, were enough to ensure that CCleaner users were unaffected by the attack. Worried that the attackers would manipulate CCleaner again, Avast said it halted an upcoming release of the product, revoked its previous security certificate, and put out a security update to users. The target of the persistent attack was likely Avast’s software-cleaning tool, CCleaner - the same product that was infiltrated in an infamous 2017 supply-chain attack breach that affected over 2 million computers. ![]() An unidentified attacker used stolen credentials to gain high-level privileges on the network of Czech software security vendor Avast, the company said Monday. ![]()
0 Comments
Leave a Reply. |