There was a sophisticated supply chain attack on the ASUS Live Update Utility at a large manufacturer in Asia back in January and researchers called it “Operation ShadowHammer.”
“Some of the executable files, which were downloaded from the official domain of a reputable and trusted large manufacturer, contained apparent malware features,” said researchers at Kaspersky Lab. “Careful analysis confirmed that the binary had been tampered with by malicious attackers.”
Tampering with executables in such a case normally breaks the digital signature, the researchers said. However, in this case, the digital signature was intact: Valid and verifiable.
“We quickly realized that we were dealing with a case of a compromised digital signature,” the Kaspersky researchers said.
This was the result of a sophisticated supply chain attack, which matches or even surpasses the ShadowPad and the CCleaner incidents in complexity and techniques, the researchers said. The reason it stayed undetected for so long is partly the fact the Trojanized software was signed with legitimate certificates (e.g. “ASUSTeK Computer Inc.”).
The goal of the attack was to surgically target an unknown pool of users, who were identified by their network adapters’ MAC addresses, the researchers said. To achieve this, the attackers had hardcoded a list of MAC addresses into the Trojanized samples and the list was used to identify the intended targets of this massive operation.
“We were able to extract more than 600 unique MAC addresses from more than 200 samples used in the attack. There might be other samples out there with different MAC addresses on their lists, though,” the researchers said in a post.
The research started upon the discovery of a Trojanized ASUS Live Updater file (setup.exe), which contained a digital signature of ASUSTeK Computer Inc. and had been backdoored using one of two techniques.
In terms of the digital signature, computer security software deployed today relies on integrity control of trusted executables. Digital signature verification is one such method. In this attack, the attackers managed to get their code signed with a certificate of a big vendor, the researchers said.
“While attacks on supply chain companies are not new, the current incident is a big landmark in the cyberattack landscape,” Kaspersky researchers said. “Not only does it show that even reputable vendors may suffer from compromising of digital certificates, but it raises many concerns about the software development infrastructure of all other software companies. Current research revealed at least four companies compromised in a similar manner, with three more suspected to have been breached by the same attacker. How many more companies are compromised out there is not known. What is known is that ShadowPad succeeded in backdooring developer tools and, one way or another, injected malicious code into digitally signed binaries, subverting trust in this powerful defense mechanism.
“Does it mean that we should stop trusting digital signatures? No. But we definitely need to investigate all strange or anomalous behavior, even by trusted and signed applications,” the researchers said. “Software vendors should introduce another line in their software building conveyor that additionally checks their software for potential malware injections even after the code is digitally signed.