April 8, 2019 | Written by: Michelle Reinhold
The Supply Chain Attacks… Again
Always be cautious, even with trusted brands
On March 25th, 2019, Motherboard released an article highlighting a recent Supply Chain Attack, discovered by Kaspersky Lab in January 2019. Motherboard defines Supply Chain Attacks as “hackers gaining access to a software company’s infrastructure and injecting malware into new software releases or security updates.” These attacks prey on the trust between the installing user and the supplier. In this discovery, well-known computer manufacturer, ASUS, had its driver and firmware update system compromised; allowing the attackers to push malicious software using the ASUS brand. At the time the article was written the scope and purpose of the attack was still being investigated, however it has since been independently verified by cybersecurity software provider, Symantec. The estimated number of systems infected by the trojan is around a half a million machines.
You may be thinking “How did so many machines get infected with a trojan without antivirus/antimalware alerting the user?” There are several reasons for this.
First, the trojan was digitally signed by ASUS. Drivers and firmware are digitally signed using cryptography to validate the origin of the software. When a driver is digitally signed by the hardware vendor, it will not be heavily scrutinized because it is presumed to come from a trusted source.
Second, the lack of detection of the trojan is because it was only activated on a select few machines. The activation process appears to be linked to a list of 600 MAC addresses. If the unique identifying address appears on the Network Interface, the trojan downloads secondary malware, if it doesn’t the trojan remains dormant.
This attack, like the 2017 CCleaner attack, was surgical in nature. Because of the similarities and because ASUS was on the targeted list in that attack, it is widely speculated that the source of the initial breach was the CCleaner attack. One thing is certain, the attackers must have been inside ASUS’s network for a very long time to coordinate this attack. It would take a great deal of time and stealth to obtain the list of targeted MAC addresses while compromising the software signing certificate and update infrastructure. These were very skilled hackers working methodically under the radar.
There are many reasons that this, and stories like it, should get your attention. Most importantly, breaches like this are not just researched and studied by security professionals and ethical hackers; they are also studied by the bad guys. The methods and tactics of elite hackers will filter down to the average cyber criminal looking for a payday.
Today, Supply Chain exploitation and compromises are happening all around you. You may already be familiar with spoofed emails from a vendor asking to click on a DocuSign link or a compromised email account asking for the payment method of a valid invoice to be changed to a wire transfer. However, it’s the unseen, unheard of attacks that you need to concerned about.
You may think that you are too small to be a target, but from a hacker’s perspective small businesses are the perfect target. They often can’t afford the latest and greatest in computer security technologies, or a dedicated security staff to gather threat intelligence and monitor their system. They are the perfect training and proving ground for less experienced hackers to test new methods of compromise. Since small businesses are often connected to larger targets, they are the perfect launching pad for the payday exploit.
We at Business Information Group, Inc (BIG) are here to help keep you protected. You can leverage our Networking Team to deploy and configure technologies that provide security and visibility into your network infrastructure. Leverage our Software Consulting Team to provide custom applications that provide your employees with the information they need, without giving them unneeded access to additional data. Leverage our Wireless Team to securely provide mobile access to employees and customers. As your fulcrum, our Security Team will test, monitor, and validate your systems to detect and stop emerging threats before they cause harm to your business.
“Give me a lever long enough and a fulcrum on which to place it, and I shall move the world.” – Archimedes
Kaspersky has released a tool you can use to check if your machine has one of the targeted MAC addresses. ASUS has released their official response and included a download link for their detection tool.