Monday, March 25th 2019
Hackers Get to ASUS Live Update Servers, Plant Malware in Thousands of Computers
In a chilling reminder of just why system software should always be manually updated and never automatically, Vice Motherboard citing Kaspersky Labs reports that hackers have compromised the Live Update servers of ASUS, making them push malware to thousands of computers configured to fetch and install updates automatically. These include not just PC motherboards, but also pre-builts such as notebooks and desktops by ASUS. Smartphones and IoT devices by ASUS are also affected. Hackers have managed to use valid ASUS digital certificates to masquerade their malware as legitimate software updates from ASUS.
Kaspersky Labs says that as many as half a million devices have fallen prey to malware pushed to them by ASUS. The cybersecurity firm says it discovered the malware in January 2019 when implementing a new supply-chain detection technology, and informed ASUS by late-January. Kaspersky even sent a technically-sound representative to meet with ASUS in February. Kaspersky claims that ASUS has since been "largely unresponsive since then and has not notified ASUS customers about the issue." ASUS is already drowning in bad-rep from the PC enthusiast community for its Armoury Crate feature that lets motherboard BIOS push software to a Windows installation through an ACPI table dubbed "the vendor's rootkit," which ASUS enabled by default on new motherboards. Who knows what recent motherboard BIOS updates have pushed into your PC through this method.
Source:
Vice Motherboard
Kaspersky Labs says that as many as half a million devices have fallen prey to malware pushed to them by ASUS. The cybersecurity firm says it discovered the malware in January 2019 when implementing a new supply-chain detection technology, and informed ASUS by late-January. Kaspersky even sent a technically-sound representative to meet with ASUS in February. Kaspersky claims that ASUS has since been "largely unresponsive since then and has not notified ASUS customers about the issue." ASUS is already drowning in bad-rep from the PC enthusiast community for its Armoury Crate feature that lets motherboard BIOS push software to a Windows installation through an ACPI table dubbed "the vendor's rootkit," which ASUS enabled by default on new motherboards. Who knows what recent motherboard BIOS updates have pushed into your PC through this method.
43 Comments on Hackers Get to ASUS Live Update Servers, Plant Malware in Thousands of Computers
I never used such software and never will
Simple dont use that crap.
This one was also part of a broader attack which is quite interesting because they already knew the MAC addresses for their targets and had a second stage that was triggered if you were on of their targets. Also not the first time ASUS was popped and didn't tell anyone. They were sued by the FTC for having crap software riddled with vulnerabilities that they knew about for over a year being doing anything.
I'm guessing ASUS had an unsigned distribution server. Incredibly negligent. And why opaque systems like this are bad.
My earlier comments trying to exhonerate ASUS here did not fully comprehend the situation. This is downright stupid but then that's kind of what I expect from ASUS when it comes to mobo drivers/software.
EDIT:Oh good god. It's not even unsigned, but they were notified and just did nothing to prevent imminent catastrophe?
Even when it was as simple as revoking a cert DIGITALLY? LIKE THEY DID NOT EVEN HAVE TO LEAVE THE OFFICE?
That's even worse than being stupid. That's like being smart enough to know better, but too lazy to care and don't want to type the command to fix everything because you just ate 20 king size butterfinger candy bars and are in a food coma and then when you wake up a month later still doing nothing because you don't want to stain the neato custom ivory keyboard something-or-another you spent all your customers cash on with your lazyass choclate stained fingers.
For god sakes ASUS, WTF!
Up until now I've always prefered Asus but with the recent stuff and now this too, can't really say they are a preferrence for new builds to me anymore.
There is one question - how does Kaspersky know half a million infected PC's if ASUS are being quiet?
I have been using a fews ROG generations of motherborads but autoupdate for me was often broken.
I usually do manual update of drivers and bios.
Now I am also happy that ASUS Grid stopped working on my Crosshair VII a year ago.
What I am concerned about is if it could be that the updates that you download from their website are also infected? :confused:
I have Zonealrm extreme security installed, but I have not seen any message from it while manually updating drivers.
@the54thvoid - most AV solutions today have also a centralized (cloud) defense center from where you can get live data about threats and be protected faster in case of new attacks. Kaspersky also has this option (which last time I checked you had to explicitly enable it, it was not on by default, although many already use their alternatives active by default).
As for ASUS, my main problem with them has always been over-pricing for nothing, so I passed paying for a brand which in time proved to be of lower and lower quality over the years. No offense to any RoG notebook owners.
My latest experience is about a Rampage VI Extreme that is advertised with a huge list of features that unfortunately many of them depend of software in order to work. As a result features such as Windows Fan Control (AI Suite & Fan Expert,) along with the heavily promoted Aura Sync are a mess. A big freaking mess!!
The board is fine and really stable but after paying a premium for it one would expect ALL features to work but this is not the case. I decided to only use one piece of software AURA and even this is not working properly and lacks features. And of course Asus does not seem to care.
I am very glad I never installed any of their other utilities or Autoupdate Junk and will think twice before getting an Asus board in an upcoming pure gaming build with 9900K.
edit: the following article has more info, including a link to check if you're infected. Apparently.
www.theregister.co.uk/2019/03/25/asus_software_update_utility_backdoor/
They were first to prudly bend over for nvidia GPP along with MSI, their hardware is performing below/on par with competition but with higher price tag. Their motherboards seem to be about looks nowadays rather than high quality.
Speaking of quality, their low/midrange lineups of hardware leave MUCH to be desired...
And now this...
Guess my Ryzen 3000 upgrade scheduled for next year is gonna be based on Asrock
What I find the most interesting is that the attackers already knew the MAC addresses they were targeting. I would surmise that they retrieved those from the previous ASUS hack they did.
www.asus.com/News/hqfgVUyZ6uyAyJe1