ASUS released Live Update version 3.6.8, which addresses vulnerabilities where a remote attacker could exploit to take control of an affected system.
Earlier this week, there was a report saying there is a new advanced persistent threat (APT) campaign funneling through the supply chain that could be affecting over one million users, said researchers at Kaspersky Lab.
Attackers behind Operation ShadowHammer targeted users of the ASUS Live Update Utility, by injecting a backdoor into it, at least between June and November 2018, Kaspersky researchers said. They added the attack may have affected more than a million users on a global basis.
ASUS responded by saying, “ASUS Live Update is a proprietary tool supplied with ASUS notebook computers to ensure that the system always benefits from the latest drivers and firmware from ASUS. A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group. ASUS customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed.
“ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future.
“Additionally, we have created an online security diagnostic tool to check for affected systems, and we encourage users who are still concerned to run it as a precaution.”
A supply chain attack is one of the most dangerous and effective infection vectors, increasingly exploited in advanced operations over the last few years. It targets specific weaknesses in the interconnected systems of human, organizational, material, and intellectual resources involved in the product life cycle: from initial development stage through to the end user. While a vendor’s infrastructure can be secure, there could be vulnerabilities in its providers’ facilities that would sabotage the supply chain, leading to a devastating and unexpected data breach.